3

Background

I've implemented the Thinktecture.IdentityServer.V3 (the openID Connect one). I've got the OAuth2 bearer token returned to my javascript client (implicit flow) in the form:

{
  "id_token": "eyJ0eXAiOiJKV1QiLCJh...",  // JWT
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1Ni..", // JWT
  "token_type": "Bearer",
  "expires_in": "3600",
  "scope": "openid profile read write email",
  "state": "1299139105028949"
}

but in all the examples they only pass the access_token to the resource provider when calling the service.

 $.ajax({
         url: 'http://localhost:2727/Account/123/Get',
         headers: {
              Authorization: "Bearer " + $scope.response.access_token
             }
         })

Assumption

If i've got this right, I Authenticate with the access token. Then I Authorize based on claims in the id_token (I don't want to make a separate DB call - I want it fully self-contained).

Question

How would I pass this information to my webapi2 endpoint via ajax (assume i've set up CORS etc) and what middleware would I have to hook up to validate it? (i'm guessing one of the Token Validators and a claimsManager but there's So many I can't decide which one is the right one to use).

Help very much appreciated

Peter Lea
  • 1,731
  • 2
  • 15
  • 24

2 Answers2

4

The id_token is for the client - it has to be validated by the client (or by the identity token validation endpoint in idsrv if the client does not have the necessary crypto libraries). Afterwards you use the access token to access the resource.

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
  • So how would you go about protecting resources via a role claim in the id token? Or am I missing something here? Thanks – Peter Lea Oct 08 '14 at 17:11
  • 1
    You don't secure resources with an id_token. Put the role claim into the access token. https://github.com/thinktecture/Thinktecture.IdentityServer.v3/wiki/Scope-Model – leastprivilege Oct 08 '14 at 18:19
  • Okay making sense now! Thanks for your help. – Peter Lea Oct 08 '14 at 18:29
  • Adding to answer by @PeterLea , ID token is meant only for identity and roles are basically means of authorization so makes sense in access token.. ID token is meant for client to authenticate the End User/Resource Owner and get his information using the ID token, access to resources is fine controlled by access token – dvsakgec Dec 09 '16 at 10:04
2

It seems you use AngularJS, so you can use $http service to set token in header

For example:

$http.post("/login", credentials).then(function(response) {
    $httpProvider.defaults.headers.common["Authorization"] = "Bearer " + $scope.response.access_token;
});

You have to do this once per session.

UPDATE

With jQuery somthing like this

     //This repesent the token you got after login
     var authToken = {
                     "id_token": "eyJ0eXAiOiJKV1QiLCJh...",  // JWT
                     "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1Ni..", // JWT
                     "token_type": "Bearer",
                     "expires_in": "3600",
                     "scope": "openid profile read write email",
                     "state": "1299139105028949"
                     }
     $.ajax({
            url: "http://localhost:2727/Account/123/Get",
            type: "get",
            dataType: "json",
            beforeSend: function (request)
            {
                request.setRequestHeader("Authorization", authToken.token_type + " " + authToken.access_token);
            }
    });
Sven Schürmann
  • 602
  • 3
  • 4
  • The thinktecture javascript implicit example uses angular, I'm actually using knockout. The demo passes the access_token, but I would also like to pass the whole OAuth2 token so I can validate the id_token as well, How do I create the header to pass that info? – Peter Lea Oct 08 '14 at 14:52
  • The issue is with the 'Bearer " + $scope.response.access_token' is only being passed, not the whole token. I'm going to try 'X-AUTH-TOKEN ' + $scope.response and see where that gets me – Peter Lea Oct 08 '14 at 15:09
  • Okay I have updated my snippet! This should be the right way. I found some informations [here](http://weblogs.thinktecture.com/cweyer/2012/11/oauth2-in-thinktecture-identityserver-v2-implicit-grant-flow-with-javascript.html) – Sven Schürmann Oct 08 '14 at 15:16
  • Hi, the snippet shows just passing the access_token. Is it not possible to pass the whole token in this way? Do I need to send the id_token in a different header? – Peter Lea Oct 08 '14 at 15:25