2

My Layout

IdentityServer project:

  • MVC client (Implicit workflow)
  • API client (Client Credentials workflow)

WebApi project:

  • Business logic and DB access
  • Requesting only an "api" scope

MVC project:

  • Requesting "openid profile roles api" scopes
  • Requesting "id_token token"
  • Angular app accessing secure API (currently access token is not added to header)

What I'm doing

My MVC is getting secured correctly and ResourceAuthorize() works as expected. I'm currently in the process of making my Angular app adding the bearer token to our API calls.

My doubts

When accessing the MVC, the user is redirected to the IdSrv, gets logged in, then redirected back to MVC. At this point, my Angular app gets loaded for the first time, and obviously I don't have or need the username and password.

The access token has already been issued, but I can't get my head around how/when to provide it to the Angular app.

My Ideas

  1. Inject it to my layout page using razor.
  2. Switch MVC to authorization code workflow and make a second trip to IdServ requesting an access token [hmm but wait... how do I get the authorization code into angular? I guess I stayed with the same issue..??]
  3. Make Angular use client credentials workflow, assuming if I got to the angular app, the user has authenticated [but than I have a security breach right?]

Please point me in the right direction. I can't seem to find which of the samples does something similar to what I need.

Thanks in advance, Shy.

Improve this question

2 Answers 2

Reset to default
2

Ended up injecting the token along with user data using Razor, then fetching it with angular through window.user.

<script>
    window.user = @Html.JsonRaw(ViewBag.User as ClientSideIdentity);
</script>

public class ClientSideIdentity
{
    public string id { get; set; }
    public string username { get; set; }
    public string displayName { get; set; }
    public Dictionary<string, string> claims { get; set; }
    public string[] roles { get; set; }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You should check out the oidc-client.js package. The UserManager object provided with this packages gives you access to the id and access tokens associated with the authenticated user.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.