Terminate OpenIDConnect auth on request via Ajax
A regular OpenIDConnect server works like:
- Switch to
a.com/secure-resource
- You get
302
back from the server - Your browser processes it and sends it to the identity server
- You go there
- It sends you back
a.com
throughPOST
- You are logged in
a.com
and get ita.com/secure-resource
in your browser.
However, I have a scenario that I am trying to solve, but I need your help.
- User is already logged in to idServer
- User logged in
a.com
- User is NOT logged in
b.com
- We need to send an ajax call to the web server
b.com
(from a different domaina.com
) -
b.com
configured to use OpenIDConnect. - But since the request
b.com
is through Ajax, the user cannot be redirected normally to idServer. (all we get in return is302
)
We can go ahead and handle 302s via Ajax (I'm still not sure if this will work, securely).
BUT
Is there any script in IdentityServer / OpenIDConnect that addresses these situations?
+3
source to share
1 answer
With IdentityServer in this scenario you are configuring the server b.com
to use bearer token authentication, then you need to use the access token provided for a.com in the headers of your Ajax call
$.ajax({
url: 'http://b.com',
headers: {
Authorization: "Bearer " + Your Access Token
}
})
JavaScript IdentityServer Client samples have ways to retrieve token from identity server, see here
In controller, you can get user and token like this
// Get the claims values
var token= (User as ClaimsPrincipal).Claims
.Where(c => c.Type == "access_token")
.Select(c => c.Value).SingleOrDefault();
In other parts of the application, you can use this
//Get the current claims principal
var identity = (ClaimsPrincipal)Thread.CurrentPrincipal;
// Get the claims values
var token = identity.Claims.Where(c => c.Type == "accept_token")
.Select(c => c.Value).SingleOrDefault();
+3
source to share