Clever Geek Handbook

Skip open-connect oauth2 bearer token in header

Background

I have implemented Thinktecture.IdentityServer.V3 (openID Connect one). I have an OAuth2 token returned to my client by javascript (implicit flow) in the form:

{
  "id_token": "eyJ0eXAiOiJKV1QiLCJh...",  // JWT
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1Ni..", // JWT
  "token_type": "Bearer",
  "expires_in": "3600",
  "scope": "openid profile read write email",
  "state": "1299139105028949"
}

but in all examples they only pass the access_token to the resource provider when calling the service.

 $.ajax({
         url: 'http://localhost:2727/Account/123/Get',
         headers: {
              Authorization: "Bearer " + $scope.response.access_token
             }
         })

Assumption

If I succeed, I authenticate with an access token. Then I log in based on claims to id_token (I don't want to make a separate DB call - I want it to be completely autonomous).

Question

How do I pass this information to my webapi2 endpoint via ajax (assuming I have configured CORS, etc.) and what middleware will I need to hook into to test it? (I am assuming one of the token and requestManager validators, but there are so many out there that I cannot decide which one is appropriate).

Help greatly appreciate

+3


source to share


2 answers


id_token for the client - This must be verified by the client (or the identity token validation endpoint in the idsrv if the client does not have the required cryptographic libraries). Subsequently, you use the access token to access the resource.



+3


source


You seem to be using AngularJS, so you can use a service $http

to set the token in the header

For example:

$http.post("/login", credentials).then(function(response) {
    $httpProvider.defaults.headers.common["Authorization"] = "Bearer " + $scope.response.access_token;
});

You must do this once per session.



UPDATE

With jQuery somthing like this

     //This repesent the token you got after login
     var authToken = {
                     "id_token": "eyJ0eXAiOiJKV1QiLCJh...",  // JWT
                     "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1Ni..", // JWT
                     "token_type": "Bearer",
                     "expires_in": "3600",
                     "scope": "openid profile read write email",
                     "state": "1299139105028949"
                     }
     $.ajax({
            url: "http://localhost:2727/Account/123/Get",
            type: "get",
            dataType: "json",
            beforeSend: function (request)
            {
                request.setRequestHeader("Authorization", authToken.token_type + " " + authToken.access_token);
            }
    });
+1


source






More articles:


All Articles