4

Given:

  • Asp MVC Core Client
  • JavaScript client hosted by ASP MVC Core
  • Asp Web Api

All are authenticating with IdentityServer

Problem

For a normal user the auth is done with asp core and the oidc client. I use the access token in asp core to access the api.

Now a javascript function wants to access the an authorized api and needs for this the access_token.

What is the best practice to have it in javascript I see primarily two option

1.) I make a "silent" auth in javascript with a oidc client . (Feels like duplicate work)

2.) I store the access_token in a cookie where javascript could pick it up ( pot. unsecured)

3.) (Feels like a smell) Making an authorized endpoint like /me/token returning the access_token

What is the intended way in this scenario ?

Mike Anderson
  • 738
  • 1
  • 8
  • 23
Boas Enkler
  • 12,264
  • 16
  • 69
  • 143
  • I have the same question. My MVC application uses an Angular client. I also like to now what the best practice is for this. A.t.m I have done option 1. But this is indeed duplicated work. – ErazerBrecht Nov 07 '16 at 06:45
  • @ErazerBrecht , I try to make "silent" auth but it seems I needs to sign in first and then renewing the token, so i sign in twice one in MVC and on in client side. Can you point me how to implement option 1? – Mike Anderson Nov 14 '16 at 15:25

1 Answers1

0

You could render on an MVC view a script tag which configures your AJAX headers so you can add the authorization header with the access_token you have in MVC.

Tokens are secure due the facted they are signed so you can change them without knowing the key to sign and limited in time. Also tokens need to be verified before you should use them.

Kristof Degrave
  • 4,142
  • 22
  • 32