0

I have an application with classic client server architecture. ASP.NET Core is in the backend and in the frontend jQuery, Angular or vanilla-js.

For authentication I use an OpenID-Connect certified server. (keycloak)

So far I can login via the asp.net core Authentication Middleware. Get my Access Token and Refresh Token.

My configuration looks like this:

services.AddAuthentication(options =>
{
    options.DefaultScheme = "Cookies";
    options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", options =>
{
    options.RequireHttpsMetadata = false;
    options.MetadataAddress = Configuration["IdentityServer:Metadata"];

    options.ClientId = Configuration["IdentityServer:ClientId"];
    options.ClientSecret = Configuration["IdentityServer:ClientSecret"];
    options.SaveTokens = true;

    options.ResponseType = "code";

    options.Scope.Add("openid profile email web origons roles SocpoeOnlyForDeveopers");
});

Now I want to access resources with the received Access Token, not only from my backend but also from my frontend.

So far I have only found one solution: to store the access token in a js variable in the _Layout.cshtml.

When the access token expires I make a request to my backend to get a new access token. In the backend I then ask the authorization server with the refresh token to get a new access token. Then I send the access token back to the frontend.

A bit like here: https://medium.com/@ognjanovski.gavril/use-refresh-token-to-renew-access-token-and-resend-all-unauthorized-401-requests-that-failed-190e9c97fc3a

Because my access tokens expire after 5 min (to short?) (default of keycloak) there would be quite a lot network activity.

Is there a better way?

Jason Aller
  • 3,541
  • 28
  • 38
  • 38
Fabian Jänicke
  • 1
  • 1

1 Answers1

0

In your case using backend as token obtaining mechanism is a bad idea. Instead your frontend should be a authentication initiation application component, so token pairs will be stored in frontend app (You have to intergrate keycloak JS adapter to frontend). If so you could call backend from frontend via Bearer scheme. So you backend should be a bearer-only application.

As example you could see how works keycloak Admin Console (Actually it is two apps: Admin UI that will force user to pass authentication via redirecting user to Keycloak login page and realm-management backend that receives request with access token in headers from Admin UI)

solveMe
  • 1,866
  • 1
  • 18
  • 20
  • Thank u for your answer. If i got you right, my backend should be basicly a ressouce that whants a access token in the autorisation header. With a scope like "backend-access". Right? And could u explain what the potentially danger of my solution is? – Fabian Jänicke Oct 07 '19 at 05:31
  • So far your token is visible only in current user session, there is no any security issues. But in general your approach is wrong from an architectural point of view and it will lead to new problems in future during your application lifecycle. Your current issue is just an evidence of that. – solveMe Nov 14 '19 at 01:14