2

I'm trying to do something that seems like it would be a straightforward thing. I've looked through the IS4 QuickStarts and found a bunch of things regarding OAuth online, but with the latest changes to Core 2.0, I'm having trouble finding an example of just how to do this. Lots of stuff that's close, but nothing quite lines up and any time I try to combine approaches, I get it wrong. I have it mostly working, but I would appreciate any help getting it over the goal line.

Setup is this:

  • IS4 - lives on its own
  • MVC - lives on its own, AND is the host for an Aurelia app
  • API - lives on its own, and is the principal target for the Aurelia app

MVC uses OpenIdConnect middleware to talk to IS4, This works fine. Hosts the login page and returns me back to my appropriate controller... Using:

HttpContext.GetTokenAsync("access_token")

I get all my user claims, which are important. The controller method launches a view which emits my Aurelia app.

Here's the tricky part - once the Aurelia app is up and running, the user doesn't need to log in again, so I don't want a strict JS grant. Ideally, I'd like to be able to use the same access_token provided when I log in to MVC and use that in the SPA to access the API. Which means the API must accept a bearer token that's been issued to the MVC app - which is on a different domain. Were this possible, I can get the token to the SPA as I do below.

If that's not OK, I have tried using this to get a separate login to the API:

var disco = DiscoveryClient.GetAsync("http://localhost:8552").Result;
if (disco.IsError)
{
    return BadRequest();
}
// request token
var tokenClient = new TokenClient(disco.TokenEndpoint, "MyApi", "secret");
var tokenResponse = tokenClient.RequestClientCredentialsAsync("api1").Result;

if (tokenResponse.IsError)
{
    return BadRequest();
}
HttpContext.Response.Cookies.Append("access_token", tokenResponse.AccessToken);

Upon launching the view, I populate a hidden field with the token which I can then use to make fetch calls in the SPA. Problem is, there are no user claims in that token. When I do hit the controller of the API, there are no user claims in the User principal, nor are there any claims in the token.

Any hints would be appreciated. I've lost days playing with this stuff and though I'm much more up-to-speed than I was before with this, there have been a lot of breaking changes in authentication for .Net core and IS4 does things differently than IS3.

compgumby
  • 91
  • 2
  • 6

0 Answers0