1

Given the following parties:

Browser based client
ASP.Net MVC 4 web application
ASP.Net Web API service
Security Token Service (STS) i.e. Thinktecture IdentityServer
(note: Web application and WebAPI service live on different boxes)

I would like to get a flow similar to this working:

User navigates to the WebApp, application does not see a valid token in the request and redirects user to be authenticated with the STS. User logs in to the STS and upon successful authentication is redirected back to the WebApp. The WebApp sees the valid token and grants the user access. User attempts to conduct an operation on the WebApp which requires a service call to the WebAPI. The WebApp passess the users token along on the service request. WebAPI service sees the token, disallows access and returns an error, or authorizes the request on behalf of the user and returns a result.

Additionally, I would like the client to be able to make a service call directly to the WebAPI service via an AJAX call.

So far I can get the flow working with the Web Application redirecting to the STS and back but how do I pass the token along from the the Web App to the Web API service?

Also, how do I get the JavaScript client to pass the token along on the AJAX call?

Improve this question

2 Answers 2

Reset to default
1

Well - you can do that immediately, if you work with SAML.

The web site login returns a SAML token, the saveBootstrapContext features saves the token for later use - and you can forward it to your web api.

In Web API you can consume SAML usign thinktecture identitymodel. For AJAX calls, provide a way to retrieve the SAML token from JS and send it on the authorization header to the Web API.

This is not optimal. But for doing JWT all the way through (which would be the preferred way) - some bits are missing right now (e.g. IdSrv only has support for symmetric signatures right, my JWT handler does not support bootstrap context, MS JWT handler and symmetric signatures via config are a problem as well).

I am working on this. But for now this scenario has some rough edges.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Well - certainly no a cookie. The various components live on different boxes (and potentially different domains - if not today - maybe tomorrow).
0

If both services live on the same domain, you can use a cookie.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.