K
Q

In case of separated back-end and front-end applications - is it needed to authorize front-end to back-end?

5/27/2020

I am building an scalable application. Scalable for me means that back-end (ASP.NET Core 3.1) and front-end (React) are separated. I am thinking about using Kubernetes to do that.
Let's say for instance that back-end has an authentication and authorization based on ASP.Net Core Identity using JWT, so user can be registered and all registered users' data is saved in database. Registration functionality is provided via back-end's API endpoint /api/register.

    [HttpPost]
    [Route("register")]
    public async Task<IActionResult> Register([FromBody]User user)

Let's say I have each general functionality provided as an API endpoint - then I want to access these endpoints in my front-end application, but, I want to be sure that only my front-end application will access these API endpoints, so only my client app can access these endpoints. In the future I want to write mobile app accessing these endpoints also, so I want to allow only "authorized" client apps to access my API. So, if someone write his own client-side application and call my API it won't be possible.
Here comes the question: what is the best and professional way to do that? I know, that in appsettings.json file AllowedHosts can be defined, but is it the best way and if so, how to do that safely? Is there any need to do that?

Maybe the question is not correct, but I think the problem has been described in an understandable way.

Thanks for your time in advance.

-- robert.s
asp.net
asp.net-core
authentication
kubernetes
reactjs

Similar Questions

Feed Python Kubernetes client with heredoc instead of filepath
Microk8s ingress or loadbalancer not working in local single node cluster
How to set availability zones for VPC in eksctl config file?
Kubernetes traefik through a specific internal IP

0 Answers