Question Can I create my own UI project for Identity pages?

[gustavofn-kula]

First of all, this is more like an architecture and management question, I'm building a SSO Server with Microsoft Identity + OpenIdDict, but I wanted to create a separated react/nextjs front end for the SSO, since all our front end projects and code are in nextjs, making it easier for the team to manage the SSO UI.

Is it a great choice? Or due to security protocols should I really stick with the MVC front end?

I'm expecting some guidance to understand if I'm going to face security and architecture bad practices and what should I be concerned with.

 

[Skydiver]

The OpenID security protocols themselves are UI agnostic, other than needing some kind of web based UI interaction for the more common authentication/authorization flows. (There are other flows which can skip using an interactive UI as I recall.)

What makes you think that you need to stick with an MVC front end? Is is because the demo or how-to code happened to be MVC based?

Personally, the main thing I would be concerned about if I deviated from something that was running on the server to something that was running on the client would be can I guarantee the security on the client? What is to prevent malware sitting on the user's machine from harvesting any sensitive authentication data or auth tokens?

 

[gustavofn-kula]

I was thinking about sticking since I didn't found any demos or samples otherwise, leading me to think it was a bad choice.
But I would only do a different front end to handle Indentity scaffold pages, wouldn't migrate any logic or service.

 

[Skydiver]

As I recall, React is also uses the MVC pattern, just a different implementation of the pattern. I assume that you specifically mean ASP.NET MVC that you are planning on sticking with.

 

[cjard]

You might choose to leverage the custom options MS offer for making the auth flow UI look like your own brand instead; it's easier, and really quite "set and forget"