IdentityServer / IdentityServer3

OpenID Connect Provider and OAuth 2.0 Authorization Server Framework for ASP.NET 4.x/Katana
https://identityserver.github.io/Documentation/
Apache License 2.0
2.01k stars 763 forks source link

Question: Get Access Token from WebAPI to WebAPI #1705

Closed Condor2708 closed 9 years ago

Condor2708 commented 9 years ago

I have an Implicit Client using a Web API (WAPI1) configured with AccessTokenValidation and with ImplicitClient flow. My question is. If I want to use WAP1 from another WebAPI (WAP2) I need to configure another client flow for WAP1? Or I can use the same Implicit client client flow configured? Thanks for the support

brockallen commented 9 years ago

WAPI2 would probably use client credentials flow to get it's own access token for WAPI1.

Condor2708 commented 9 years ago

WAPI2 it is configured also with Implicit Flow, because it is used from another SPA application.. I need to create another Client for WAPI2 with ClientCredentials? I saw in the documentation that there is an option called AllowClientCredentials, but I don't know if it is secured to set up with implicit Client.

brockallen commented 9 years ago

Don't use AllowClientCredentials with implicit clients.

So yes, if WAPI2 needs to contact WAPI1 on its own, then setup a new client for it. If WAPI2 can take the current token and pass it to WAPI1 then that's ok as well, but that's the "poor man's delegation" and the token will need both scopes.

Condor2708 commented 9 years ago

Thanks Brock...

Condor2708 commented 9 years ago

Another question, when I am using WebAPI2 I am logged in with an specific user (ex: Condor2708), how can I obtain the claims for this user but for the WebApi1, If I use Client Credentials I don't have the sub claim? Thanks

brockallen commented 9 years ago

You need to have the user authenticate in some way -- resource owner, implicit, or code flows (or possibly even custom grant). All depends on the workflow.