Why asp.net core 3.x use resource owner?
Some experts say that resource owner is a bad practice for authentication
Scoot Brady - IdentityServer Team for example
Why Microsoft use the resource owner as the default flow in asp.net core 3.0?
Is it safe to use resource owner?
When to use?
When not to use?
NO , the new Angular template(Individual authentication template ) doesn't use resource owner flow , in fact , it is using Auth Code Flow + PKCE(PROOF Key for Code Exchange) , which is already the official recommendation for native applications and SPAs . You can use Fiddler to trace the authentication requests :
Login request to authorize endpoint:
Checking the code_challenge and code_challenge_method , that is the code flow with PKCE . Also see the token request :
notice the grant_type .
In Code Flow+PKCE :
In place of the
client_secret(in normal code flow), the client app creates a random value,code_verifier, which it hashes and encodes as acode_challenge.The Authorization Server stores the hashed value (the
Code Challenge) for later verification and, after the user authenticates, redirects back to the app with an authorization code.The app makes the request to exchange the code for tokens, only it sends the Code Verifier instead of a fixed secret.