I'm currently building an auth server using Identity Server 4 with a spa (react) application that authenticates against it. I would now like to also take another application that is in current existence (this is ASP.NET MVC 5, targets .NET 4.5, currently uses ASP.NET Identity 2 management classes for managing users and signout/sign in using cookie authentication) and update it so that it can log in externally with this new auth server (so a user can log in using the existing authentication, but also use this auth server now - so that a user session could be shared between this existing app and this other spa app). The problem is as I understand it, that we need to use PKCE to authenticate with the auth server, but there doesn't appear to be a way to do this with the MVC 5 app - I can install the Microsoft.Owin.Security.OpenIdConnect package, but it doesn't allow for using PKCE since this is a newer thing (apparently if you target .net 4.6.1 there is a way to make that work with that version of the OpenIdConnect package). I can't change our target, it needs to stay .NET 4.5 (to upgrade to 4.6.1 or higher would cause all kinds of problems with the build and current packages, it would be a larger undertaking than my organization is willing to take on at this time). Is there a way that anyone knows of to make this work using an ASP.NET MVC 5 app that targets .NET 4.5 and an auth server that uses Identity Server 4? Would the only way be to use a GrantType.Implcit flow instead of requiring PKCE with a GrantType.Code, and would that even be advised now?
Thanks!
In this case you are dealing with 2 clients, spa app & ASP.NET MVC app, each client can have its own flow (grant type). We can use authorization code flow with PKCE, for the spa app. And Implicit flow for the ASP.NET MVC.
PKCE is suggested for interactive applications:
a front-channel step via the browser where all “interactive” things happen, e.g. login page, consent etc. This step results in an authorization code that represents the outcome of the front-channel operation.
a back-channel step where the authorization code from step 1 gets exchanged with the requested tokens. Confidential clients need to authenticate at this point.
The MVC app you described, is just doing authentication, then no worries it's fine to use implicit.
I have a post for implementing it here