IdentityServer / IdentityServer3

OpenID Connect Provider and OAuth 2.0 Authorization Server Framework for ASP.NET 4.x/Katana
https://identityserver.github.io/Documentation/
Apache License 2.0
2.01k stars 763 forks source link

Shraing same token between MVC client and WebAPI client #1893

Closed programmer-pragmatic closed 9 years ago

programmer-pragmatic commented 9 years ago

We are building a SPA which is mix of MVC views and WebAPI calls. It has multiple modules and each module's landing page is written as MVC view. We want to outsource 'Authentication/Authorization' to another server (implemented with Thinktecture's Identityserver3).

So when user tries to open my application (any module), he will transferred to Authentication/Authorization server, where he will enter details and log in. Once MVC view is rendered in browser, it hits the webapi for data. At this point, we do not want user to take back to idsvr server again as he has already logged in. I am not sure how to achieve this. As of now we have one single project that contains mvc view and webapi. We can create two different projects if requried (one for MVC view and another for webapi). I assume that both will be different clients on idsvr. MVC views will use "cookie" (token will be wrapped under it) whereas webapi will use plain bearer token.

I have not found a way to achieve the same.

Thanks In Advance Pragmatic

leastprivilege commented 9 years ago

OK - so what is the issue?

It sounds like you already have an access token.

programmer-pragmatic commented 9 years ago

Hi Dominick,

If I use Owin cookie option for my MVC view, how can I extract token from it and use it for the webAPI's hit?

Since my MVC views and webApi are in single project, should I use cookie? I think, cookie should not be used for webAPI. Should I create two different project (one for webapi and another for mvc) and use following code to register the client:

public static class Clients { public static IEnumerable Get() { return new[] { new Client { ClientName = "MVC Client", ClientId = "mvc", Flow = Flows.Implicit,

            RedirectUris = new List<string>
            {
                "https://localhost:44319/"
            },
            PostLogoutRedirectUris = new List<string>
            {
                "https://localhost:44319/"
            },
            AllowedScopes = new List<string>
            {
                "openid",
                "profile",
                "roles",
                "sampleApi"
            }
        },
        new Client
        {
            ClientName = "MVC Client (service communication)",   
            ClientId = "mvc_service",
            Flow = Flows.ClientCredentials,

            ClientSecrets = new List<Secret>
            {
                new Secret("secret".Sha256())
            },
            AllowedScopes = new List<string>
            {
                "sampleApi"
            }
        }
    };
}

}

But question remains the same, how can I use token exist in cookie in javascript and use it for webapi calls?

leastprivilege commented 9 years ago

There is no token in the cookie (unless you put it there explicitly).

I would suggest you do this walkthrough here: https://identityserver.github.io/Documentation/docsv2/overview/mvcGettingStarted.html

programmer-pragmatic commented 9 years ago

Thanks Dominick for prompt response. I misinterpreted that cookie contains the token. I got it right now. When a user logins through MVC app, a token in generated from server. Since I am using cookie based approach, i could not find a hook where I can get hold of this token. All I want is to pass this token to client side (javascript) and use it for WebApi2's request. Is it possible?

leastprivilege commented 9 years ago

Did you do the walkthrough?

—  cheers Dominick Baier

On 14 Sep 2015 at 13:46:42, programmer-pragmatic (notifications@github.com) wrote:

Thanks Dominick for prompt response. I misinterpreted that cookie does contains the token. I got it now. When a user logins through MVC app, a token in generated from server. Since I am using cookie based approach, i could not find a hook where I can get hold of this token. All I want is to pass this token to client side (javascript) and use it for WebApi2's request. Is it possible?

— Reply to this email directly or view it on GitHub.

programmer-pragmatic commented 9 years ago

Got it. I missed that part earlier. Yes, I can use the token generated for MVC view for webapi. And I also wanted to make sure, WebAPI should not be accessible by cookie (to overcome the CSRF attack). That is also doable. Thanks you very much.

I had one more design question.

But client also wants a common url like 'login.MyWebApp.com' which can be used by all usesr from any tenant to login to his respective instance.

We are planning to implement something similar to following:

These are some initial thoughts and may not be correct/feasible. It would be great if you share your thought on this. If you like, I can create another issue for this.

leastprivilege commented 9 years ago

please open a new thread for further questions