0

I'm more looking for comfirmation of whether I'm doing this right or wrong. This is the scenario:

I'm hosting an AngularJS app in an ASP.NET MVC application. Using the MVC part I communicate with IdentityServer to log in, and once I do this I take the access_token from OWIN's OpenIdConnect validation notification and create a Cookie with it's value, which I then get in AngularJS with the $cookieStore object to use for my requests.

Admittedly, security is by far my weakest link, so my question is whether the above scenario is safe or am I violating some sort of security rule that would allow someone to find a hole in security?

IWriteApps
  • 973
  • 1
  • 13
  • 30

1 Answers1

0

Your question is kind of hard to answer, since we can't confirm what you are going to do in the future. Generally you are on the right path, but security is hard, so you should know when to let others do it.

IdentityServer v3 is a great start though.

Take a look at the samples, specifically the JavaScriptImplicitClient from here: https://github.com/thinktecture/Thinktecture.IdentityServer.v3.Samples/tree/26293649324783cd5c6bbfe0dbb9e83c6df826fc/source/Clients

A nice article on Angular and WebAPI here as well: http://www.codeproject.com/Articles/784106/AngularJS-Token-Authentication-using-ASP-NET-Web-A

Have fun!

Henrik N.
  • 556
  • 5
  • 13
  • I'm going to use the token and consume a webapi svc. But my worry was around whether storing the access token in a cookie was counter productive to all the security measures idsrv3 had. – IWriteApps Jan 08 '15 at 15:56
  • I'm not an expert on Angular, but since cookies should be httponly (not readable by JS) I would go with SessionStorage client-side. That's what I have done (or rather my frontend devs) have done on previous jobs. It's also what is used in the sample from Thinktecture. – Henrik N. Jan 08 '15 at 20:15