Closed Condor2708 closed 9 years ago
WAPI2 would probably use client credentials flow to get it's own access token for WAPI1.
WAPI2 it is configured also with Implicit Flow, because it is used from another SPA application.. I need to create another Client for WAPI2 with ClientCredentials? I saw in the documentation that there is an option called AllowClientCredentials, but I don't know if it is secured to set up with implicit Client.
Don't use AllowClientCredentials with implicit clients.
So yes, if WAPI2 needs to contact WAPI1 on its own, then setup a new client for it. If WAPI2 can take the current token and pass it to WAPI1 then that's ok as well, but that's the "poor man's delegation" and the token will need both scopes.
Thanks Brock...
Another question, when I am using WebAPI2 I am logged in with an specific user (ex: Condor2708), how can I obtain the claims for this user but for the WebApi1, If I use Client Credentials I don't have the sub claim? Thanks
You need to have the user authenticate in some way -- resource owner, implicit, or code flows (or possibly even custom grant). All depends on the workflow.
I have an Implicit Client using a Web API (WAPI1) configured with AccessTokenValidation and with ImplicitClient flow. My question is. If I want to use WAP1 from another WebAPI (WAP2) I need to configure another client flow for WAP1? Or I can use the same Implicit client client flow configured? Thanks for the support