IdentityModel / oidc-token-manager

Apache License 2.0
51 stars 36 forks source link

MVC / angular app seed initial oidc token manager with id_token #70

Closed gilm0079 closed 6 years ago

gilm0079 commented 7 years ago

I have an app/site that is MVC. A user would navigate to secured MVC page which then handles cookie OAuth authentication with our IdSvr3 server. So at this point they are authenticated. Then the javascript on the MVC page starts spinning up the angular app. When the angular app comes up the initial page is secured which causes the app to leverage the OIDC token manager and it makes a round trip (authorize/callback) to the IdSvr3 to obtain a id_token and access_token for the token manager. This initial SSO round trip by angular adds an additional 1-3 seconds on to the angular apps loading time.

Since MVC already has a ClaimsPrincipal User authenticated is it possible to have MVC grab the id_token and an initial access_token and pass those down to the View where they could be used to initialize the oidc token manager so that the token manager doesn't have to initially request these itself from the SSO server? After the initial load then the usual renew token handles would take care of keeping a valid access token.

Am I missing something here? Can you point me in the right direction? The goal is to reduce the initial angular load times if possible and this was one thing that seemed to be adding a couple extra seconds.

brockallen commented 7 years ago

You could try to share tokens from the server side app to the client side code, but it's a lot of work.

gilm0079 commented 7 years ago

The seeding of angular/oidcTokenManager from MVC would just be at the page load then the oidc mechanism would take over the refresh. Is the hard part obtaining the id_token and access_token from IdSvr3 on the MVC side or initializing the oidc client with those tokens?

Do you have any other suggestions for speeding up initial oidc token manager process? It just seems like double work is being done when MVC has a ClaimsPrincipal user and the browser has a cookie then oidc has to also do the redirect/callback to initialize the tokens.

brockallen commented 7 years ago

Do you have any other suggestions for speeding up initial oidc token manager process? It just seems like double work is being done when MVC has a ClaimsPrincipal user and the browser has a cookie then oidc has to also do the redirect/callback to initialize the tokens.

It is double work, but you're logically building 2 clients (not one).

Also, FWIW, this repo and library is deprecated in favor of: https://github.com/IdentityModel/oidc-client-js/

gilm0079 commented 7 years ago

Thanks Brock.

I started using the oidc-client-js library for token management instead.

I was working through the project more. I ran into a non-angular MVC page that I'm using that also needs to make authenticated API calls so it uses the oidc-client-js to do the popup sso auth method against the IdSvr to obtain a token then adds the bearer token to the headers of the jquery ajax call. All works well, but this one is more noticeable because of the popup that it acts like it is doing something extra that could be avoided. The popup flashes up for probably less than 1 second as the user has a valid cookie already due to the MVC authentication. I looked at the OWIN openID startup code and it adds the id_token and access_token to the cookie claims on the auth response. If I passed those down to javascript via MVC's model binding could the oidc-client-js initialize with those? I'm not seeing anything in the oidc-client-js OidcClient or OidcClientSettings constructor to allow for this. Would this be possible or am I missing something?

I'm not sure if I'm missing something as it seems like the authentication on most websites is pretty seamless. Granted they must be doing some sort of client resource type authentication as most don't redirect to a SSO page for authentication, but I would think there has to be an easier way to get OWIN/cookie and javascript/tokens initialized at one time instead of our current setup that seems drag out the app initialization / authentication process.

brockallen commented 7 years ago

The popup flashes up for probably less than 1 second as the user has a valid cookie already due to the MVC authentication.

In the newer library there's a silent API call that you could use to avoid the popup (and it's via an iframe).

I'm not seeing anything in the oidc-client-js OidcClient or OidcClientSettings constructor to allow for this.

You want to look at the UserManager -- that's the replacement for what's in oidc-token-manager.

brockallen commented 6 years ago

This repo is retired. use https://github.com/IdentityModel/oidc-client-js/ instead.