Background
I've implemented the Thinktecture.IdentityServer.V3 (the openID Connect one). I've got the OAuth2 bearer token returned to my javascript client (implicit flow) in the form:
{
"id_token": "eyJ0eXAiOiJKV1QiLCJh...", // JWT
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1Ni..", // JWT
"token_type": "Bearer",
"expires_in": "3600",
"scope": "openid profile read write email",
"state": "1299139105028949"
}
but in all the examples they only pass the access_token to the resource provider when calling the service.
$.ajax({
url: 'http://localhost:2727/Account/123/Get',
headers: {
Authorization: "Bearer " + $scope.response.access_token
}
})
Assumption
If i've got this right, I Authenticate with the access token. Then I Authorize based on claims in the id_token (I don't want to make a separate DB call - I want it fully self-contained).
Question
How would I pass this information to my webapi2 endpoint via ajax (assume i've set up CORS etc) and what middleware would I have to hook up to validate it? (i'm guessing one of the Token Validators and a claimsManager but there's So many I can't decide which one is the right one to use).
Help very much appreciated
Background
I've implemented the Thinktecture.IdentityServer.V3 (the openID Connect one). I've got the OAuth2 bearer token returned to my javascript client (implicit flow) in the form:
{
"id_token": "eyJ0eXAiOiJKV1QiLCJh...", // JWT
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1Ni..", // JWT
"token_type": "Bearer",
"expires_in": "3600",
"scope": "openid profile read write email",
"state": "1299139105028949"
}
but in all the examples they only pass the access_token to the resource provider when calling the service.
$.ajax({
url: 'http://localhost:2727/Account/123/Get',
headers: {
Authorization: "Bearer " + $scope.response.access_token
}
})
Assumption
If i've got this right, I Authenticate with the access token. Then I Authorize based on claims in the id_token (I don't want to make a separate DB call - I want it fully self-contained).
Question
How would I pass this information to my webapi2 endpoint via ajax (assume i've set up CORS etc) and what middleware would I have to hook up to validate it? (i'm guessing one of the Token Validators and a claimsManager but there's So many I can't decide which one is the right one to use).
Help very much appreciated
Share Improve this question asked Oct 8, 2014 at 14:40 Peter LeaPeter Lea 1,7513 gold badges15 silver badges26 bronze badges2 Answers
Reset to default 4The id_token is for the client - it has to be validated by the client (or by the identity token validation endpoint in idsrv if the client does not have the necessary crypto libraries). Afterwards you use the access token to access the resource.
It seems you use AngularJS, so you can use $http service to set token in header
For example:
$http.post("/login", credentials).then(function(response) {
$httpProvider.defaults.headers.mon["Authorization"] = "Bearer " + $scope.response.access_token;
});
You have to do this once per session.
UPDATE
With jQuery somthing like this
//This repesent the token you got after login
var authToken = {
"id_token": "eyJ0eXAiOiJKV1QiLCJh...", // JWT
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1Ni..", // JWT
"token_type": "Bearer",
"expires_in": "3600",
"scope": "openid profile read write email",
"state": "1299139105028949"
}
$.ajax({
url: "http://localhost:2727/Account/123/Get",
type: "get",
dataType: "json",
beforeSend: function (request)
{
request.setRequestHeader("Authorization", authToken.token_type + " " + authToken.access_token);
}
});