This article shows a strategy for security multiple APIs which have different authorization requirements but the tokens are issued by the same authority.  Auth0 is used as the identity provider. A user API and a service API are implemented in the ASP.NET Core API project. The access token for the user API data is created using an  Open ID Connect Code flow with PKCE authentication and the service API access token is created using the client credentials flow in the trusted backend of the  Blazor application. It is important that both access tokens will only work for the intended API.

Code:  https://github.com/damienbod/SeparatingApisPerSecurityLevel

Setup

The projects are setup to use a Blazor WASM application hosted in ASP.NET Core secured using the Open ID Connect code flow with PKCE and the BFF pattern. Cookies are used to persist the session. This application uses two separate APIs, a user data API and a service API. The access token from the OIDC authentication is used to access the user data API and a client credentials flow is used to get an access token for the service API. Auth0 is setup using a regular web application and an API configuration. A scope was added to the API which is requested in the client application and validated in the API project.

#.net core #security #bearer #blazor #wasm