I'm developing a Blazor WASM hosted application and have some questions on how to properly secure it.
The idea is that users will authenticate using an external identity provider (OpenIDConnect/PKCE), however I do not have access to the identity provider to change it's configuration. The app is able to authenticate users with the Microsoft.AspNetCore.Components.WebAssembly.Authentication library, but I'm unable to secure my API.
Since I cannot change the IP's configuration to include access to my API in the access token, what options do I have? Do i have to use IdentityServer? Can I use this (https://identityserver4.readthedocs.io/en/latest/topics/signin_external_providers.html) even though the external IP the app is using is not listed among the external providers (Google etc.) How can I secure my API?
Thanks in advance!
I think you cannot achieve your request without an access to the external provider.
This is due to the fact you need a ClientId and a ClientSecret from your external provider inside the configuration of your Server app (where reside your web APIs).
And your external identity provider has to be configured to a redirect authorized URI to your page, something like
https://localhost:5001/signin-openid(probably this works at the moment).All these configurations have to be done inside you external OpenID provider.
You don't need ID4 for this kind of configuration, ASP.NET Identity is enough for it.