We are currently creating an online store as an application SPA. All SKU information is provided by the service Web Api 2.
Of course, the online store is accessible to every visitor, and currently there is only one user who can log in to manage the online store: the administrator.
For the administrator, we built basic authentication using a token bearer, as many samples on the Internet show, but now we need each user to register before they can see any product. Not exactly what we mean for a web store ;-)
What we would like to implement is that our web Api is not available to the whole world, but only to our SPA application. Each blog post or authorization tutorial seems to suggest that there is always a user who needs to log in, in our case there is only one user: the administrator.
The attribute AllowAnonymousmakes API calls again accessible to the world, so this is also a dead end.
It basically boils down to preventing any other applications (web or mobile) to extract data from our web api.
What would be the best and most secure approach for securing our web api without anonymous visitors to our online store to log in?
: 100% , . OAuth Implicit flow CORS .