3

I have been playing with Thinktecture IdentityServer3 and am keen to use it as the product looks great. However, I don't fully understand how to accomplish my flow which is probably fairly common:

  • Create Identity Server using Implicit flow
  • Setup an MVC web site
  • Setup a separate Web API

So far so good, as demonstrated in the examples on the site. I now wish to call the API using AJAX calls directly but for this i need an access token. It seems like a large overhead to have to route these through the MVC site itself (again, in the examples).

How can I accomplish this flow? Would it essentially blend the MVC and Javascript Client samples or is there a smoother way so the user only has to sign in once? Perhaps send the access token in a hidden field but then how would it renew?

Any help on understanding this would be great.

chris
  • 111
  • 6

2 Answers2

3

I've managed to come up with a solution which seems to work, not sure if it's best practice though...

  • Expose a method on the MVC site at AJAX/AccessToken
  • Method should be locked down with Authorize attribute to ensure the MVC part of the site is authenticating properly with IdentityServer
  • Method returns the users Access Token which was generated through the above call via MVC controllers
  • In JavaScript, simply use this endpoint to get an Access Token and then call the API manually
  • The call to get the Access Token should be secure as its within the same domain/authentication model as the MVC site itself

I've put up a sample here for anyone interested: OIDC-Website

chris
  • 111
  • 6
1

Check out the form post client to see the endpoints being called explicitly. You will need to hit the token endpoint to get your access token.

You should be able to use these endpoints in your AJAX calls, store the received claims and tokens in a cookie and take it from there.

Note that to renew the access token, you will also need to store the refresh token. The Implicit flow does not allow for refresh tokens (you'll need to use the Authorization Code Flow or the Hybrid Flow).

Scott Brady
  • 5,498
  • 24
  • 38