search

IdentityModel / AuthorizationServer

Sample implementation of an OAuth2 Authorization Server
Other
281 stars 136 forks source link

Bearer token from server side mvc to clientside javascript? #127

Closed WilliamDoman closed 10 years ago

WilliamDoman commented 10 years ago

I'm still trying to figure out the flows but is it possible to send down the bearer token from the server side, aquired by resource owner password flow, to be used by javascript ajax requests from the client?

To be a little more clear, I have a MVC site that has server side controller/view pages and in many parts, heavy javascript/ajax against webapi2 functionality. (No control over this) If they log in and get a bearer token in the server side, what would be the best practice for the ajax getting a bearer token? I don't want to collect username/password in the javascript and I want the user experience to seem seamless and looking at the ImplicitFlow javascript example, it has redirects to get the token. I'm not sure how that would work with many pages needing the token.

Any advice?

Thanks

brockallen commented 10 years ago

You mean like this: https://github.com/thinktecture/Thinktecture.AuthorizationServer/issues/118

leastprivilege commented 10 years ago

Of course you can transmit the token to the JavaScript - if you are OK that this "lives" on the client - e.g. in terms of lifetime.

WilliamDoman commented 10 years ago

I'm sorry, I need a tiny bit more detail. I don't really understand the mechanics or the consequences of these choices.

From #118 

1) The code flow access token could be shared with the JS. This sort of breaks the higher level of security that code flow is meant to ensure, though.

2) The implicit flow access token in the JS could be shared with the server.

3) Look into the assertion flow, except this involves more round trips to the AS (which is what you wanted to avoid, I think).

4) Do what you originally said -- obtain two access tokens via the two flows.
  1. Would you just write the token down in a hidden field or return it in some sort of controller response? Its just json right? That simple? How would refreshing the token work?
  2. How would you post it back up without a form post? In other words, navigating from a heavy JS page back to a server side mvc page without a form post, how do you get the token into session?
  3. I'll try to follow the two blog posts on assertions and see if i can follow.
  4. Was trying to avoid lots of redirects and multiple logins, but if this is fast, seemless and only requires one login, I'm ok with that too.
brockallen commented 10 years ago

1) Sure -- you'd get it back to the JS somehow. 2) Again, if the server has it then any HTML response to the browser would need to carry the token. 3) I guess assertion is too much work for most people. Doing the token sharing server-to-client might just be easiest for most people. 4) Yep, doing two formal requests with the two diff flows might also work (for your requirements, I mean).

WilliamDoman commented 10 years ago

I'll play with the different scenarios.

Thanks