Recently we decided to create a new application and do it the right way with authentication. This might be a stupid question but since we did everything the old way with very limited authentication the whole authentication is a bit unclear to me. We have a front-end application build in Reactjs with Visual Code and created an API which handles database calls/logic (CRUD).
After reading multiple documents about authentication, we currently have the following issue, and I am wondering what is the best practice.
We want to use Microsoft as external provider for our authentication, a developer responsible for the front-end has figured some things out how to authenticate at the Microsoft provider and successfully receive a token back (all done in the React front-end using a library called Hello.js; https://adodson.com/hello.js/). The idea is to use this token (received in the front-end) also for our API.
Something tells me however this is not the proper way and we are better off handling the authentication in the API itself. After reading some more at https://oauth.net/articles/authentication/ this sorta gets confirmed (as far as I can see with the above solution with Hello.js we are missing the 'fudge').
Another interesting thing which I've read about is using a token service for handling authentication, like Identityserver4.
Although I think the second option, using identityserver4, is a better practice, I can't exactly pin out why that is and why the first is not best practice for handling Authentication, I hope someone could elaborate more on this. Perhaps I am totally wrong and the first way is perfectly fine?
