SPA and API security without user loging

Question

I'm struggling with how to secure an angular SPA. I have a set of APIs that do not require a user login (ecommerce site that you can view products - you don't need to be logged in to see the items).
I have another website that does require a login and uses APIs and I have both of these applications secured using Azure ADB2C - this is the authentication flow with PCKE.

I was looking at Azure AD for securing Daemon apps using client secrets or certificates - credentials flow. In my research, any website says not to use client secrets with SPAs. Even though the API does not require a user login, I still want to ensure only my website can connect to it. But could I not use a certificate to secure the SPA. I can't find any examples of this anywhere.

Any guidance on how I can secure my API which doesn't require a user login and only my SPA can call it.

Thanks

Answer 1

@Ann R While researching about this, I found a 3rd party link : https://damienbod.com/2020/10/01/implement-azure-ad-client-credentials-flow-using-client-certificates-for-service-apis/ which might help you with setting up the app with the Client credential flow with certificates.

Please have a look and let us know if this helps you.

Disclaimer: This response contains a reference to a third-party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.