AJAX calls inside MVC and Identity Server

I'm playing with Thinktecture IdentityServer3 and really want to use it as the product looks great. However, I don't quite understand how to execute my flow, which is probably quite common:

  • Create Identity Server Using Implicit Stream
  • Setting up an MVC website
  • Configuring a separate web API

So far so good, as shown in the examples on the site. Now I want to call the API directly with AJAX calls, but for that I need an access token. It looks like a lot of overhead has to be routed through the MVC site (again, in the examples).

How can I execute this thread? Will this essentially mix the MVC and Javascript Client samples or is there a smoother way so the user only has to login once? Possibly send an access token to a hidden field, but how will it update?

Any help understanding this would be great.


source to share

2 answers

I was able to find a solution that seems to work, but not sure if this is the best practice though ...

  • Output method on MVC site in AJAX / AccessToken
  • The method must be blocked with the Authorize attribute to ensure that the MVC portion of the site is correctly authenticated with the IdentityServer
  • The method returns a custom access token that was generated with the above call using MVC controllers.
  • In JavaScript, just use this endpoint to get an access token and then manually call the API.
  • The call to get the access token must be secure as it is in the same domain / authentication model as the MVC site itself

I have offered a sample for anyone interested: OIDC-Website



Take a look at the form mail client to see that the endpoints are being called explicitly. To get an access token, you need to push the endpoint of the token .

You should be able to use these endpoints in your AJAX calls, store the received claims and tokens in a cookie, and fetch them from there.

Note that in order to refresh the access token, you will also need to save the refresh token. Implicit flow does not allow tokens to be refreshed (you need to use authorization code flow or hybrid flow).



All Articles