How to implement Implicit Flow for Angular application using IdentityServer4

Question

I have been reading the Quickstart from IdentityServer4 and still have some doubts on how to implement the Implicit flow for a SPA.

My setup is the following:

IdentityServer4 as the token server An API that needs protection (using WebAPICore) A SPA using Angular

My question is simple: Is the login screen where the user enters username and password the one provided by IdentityServer or is the Angular app providing this login window? If we are to use the login window provided by IdentityServer, is it best practice to just redirect to it, or should it be displayed inside an iframe in the Angular app?

Answer 1

If using implicit (or any other browser based flow like hybrid or authorization code) then the login UI lives on the IDP and you'll be doing a full browser redirect to perform interactive authentication. Once an IDP session has been established the access token used to call your backend can be refreshed silently in the background.

It's also worth noting that implicit flow for JavaScript clients has been deprecated now and you should use hybrid with PKCE. The latest build of oidc-client-js supports hybrid out of the box and well as automatic silent token renewal and session monitoring.