I have a public API that i want to secure using Identity Server 3.
I have an MVC application and a Javascript application and I want to ensure that only these clients can access the API regardless of Users / Resource Owners being logged in or identified. This is easy to do using the client credentials flow in the MVC app but does not seem possible using the implicit flow. (http://oauthlib.readthedocs.io/en/latest/oauth2/grants/implicit.html) <- relies on the resource owner being identified.
Does anyone know if this is possible? I'm using the oidc-token-manager.
Thanks much.
M.
You can only securely rely on the identity of the client, if the client is "confidential". That means the client can securely store its client secret.
This is true for server-based applications (e.g. client creds flow server to server, or a code based flow invoked by a server).
This is not possible for clients that are outside of your "control" like SPAs or desktop/mobile apps.
IdentityServer always includes a client_id claim - but the above caveat applies.