-
-
Notifications
You must be signed in to change notification settings - Fork 764
Is it possible to use tokens for API and cookies for MVC in the same app? #487
Comments
Yes, it's possible. You do need to stitch together the proper configuration. Look at some of the samples for this if you're stuck. |
Haha, thanks @brockallen. Any more clues than that? Presumably you're being abrupt because I've missed something obvious on some documentation somewhere. |
Actually, the SPA template also isn't a bad sample to start with, except they're using the embedded OAUth2 authorization server -- so you'd just rip that out and use external bearer tokens instead (as per our samples). Sample repo is here: https://github.com/thinktecture/Thinktecture.IdentityServer.v3.Samples |
I'm still struggling with this. Using the following config works to a point, I can authenticate with the API using just a token, I can authenticate with the MVC controllers using a cookie. However I can still authenticate against the API with the cookie and I don't want to be able to do that, it means I have to handle XSRF somehow, I'd rather just use a token for API access. If I call
|
In the |
I've added Should the following line be done inside the
|
|
I've tried it inside the map and outside the map. Still 401. A CORS request to a different endpoint (which is setup as token only) using the same token works so the token is valid. |
Removing the Authorize attribute from the endpoint allows me to call it so it's not a routing issue. |
I found this helpful guide which explains why I'm removing the default authentication and adding my own. http://brockallen.com/2013/10/27/host-authentication-and-web-api-with-owin-and-active-vs-passive-authentication-middleware/ |
The access token validation MW did not use the |
I was using slightly different versions of some Nuget packages but everything is consistent now and I'm still getting the same issue. So what authentication type am I supposed to use if not Presumably the access token is just an OAuth token once the OpenID steps are completed. |
In my map I have the following.
If I include the following lines the API call returns a 403 now instead of a 401. Does this point to some other configuration error?
My nuget package versions are as follows...
I think I've only included the appropriate ones. |
does the 403 have a "insufficient_scope" error message? |
Ahh, it does yes. |
The token has the scope which is defined in this though because the same scope is required in my CORS API which works correctly.
|
This is fun. I'm getting a 401 again. I think I made a mistake earlier, I seem get the 403 when I don't call
|
Okay, I think I've got it worked out. I've got two clients defined, one for the MVC server side application using a hybrid flow and another one for the javascript application using an implicit flow. The token validation endpoint must have been expecting a token issued to my MVC application but it was returning a 401 when it received a token from my SPA. I thought that the token issued by identity server would work for any API which is configured to use my identity server as the authority so long as the token contained the appropriate scope. I've switched to a hybrid flow and now all 3 scenarios work, MVC Views with OWIN redirecting, WebAPI access via token and also CORS request with the same token. Thanks for all your help everyone. |
Thanks for sharing. I wondered if you could point me in the right direction but my scenario is On Wed, Oct 29, 2014 at 10:47 PM, B3nCr [email protected] wrote:
|
I don't think you want to use the ClientCredentials flow to talk app to app for admin functionality. It'll still be a user who is performing the admin actions. You could map your admin API separately to your main API and require a different scope but I don't think that's how Identity Server works. I don't know yet if there's a way to deny certain users certain scopes. You probably want to do claims transformation when your admin user successfully logs in/authenticates with your API. Map the identity server identity to a local user and store privilege information within your app. Perhaps one of the contributors to the project knows which sample is best. I've mostly been following documentation and blogs rather than code samples. |
@B3nCr I am having a very similar issue and wondered if you could just update your final changes to get this working? For the two clients you just switched the Flow to Hybrid in both? I think I am missing something small and just have not put my finger on what it is yet. Thanks, J |
@jake1164 Yes I did I changed the two clients into one client. The AngularJS application and the MVC application were both running on the same domain so they're both a single app according to Identity Server. One other thing I had to change was I needed to set the I created a distilled sample to show people at work a site which used the cookie middleware to authenticate an ASP.NET MVC view and a token for use in an Angular JS application which can be used to call a local API (in the same project as the view) and also make a CORS request to another API. I was planning on sharing it in a GitHub repo, I'll do it tonight. |
That would be fab
|
I was bored on a train so I've done it already. https://github.com/B3nCr/IdentityServer-Sample It could be a little cleaner but there's not a great deal of code so you should be able to see everything. The authentication request in the JS app in the register controller and identity server redirects back to the login controller. |
If you want to run it you'll have to generate your own certificates and setup IIS. |
@B3nCr Thanks very much for your sample. I had a bit of head-scratching to work out how to create and install the right certs and configure IIS, but got it running in the end. For anyone else trying to run the sample, here's a brief run-down of the steps I needed:
I also needed to change the SSL ports as they conflicted with some pre-existing Thinktecture samples. |
Just in general - i would recommend separating web app and api - that way you don't run into the whole cookie vs token isolation issue and the related configuration complexity. |
For a single page app does the CORS configuration complexity in the API not cancel out the I guess with a separate API you have other pros/cons. You can scale the API separately from the UI (in a single page app) for example. |
Well - I just think you should treat front end and back end as separate entities. Both approaches have their ups and downs of course. |
@B3nCr In your sample SuppressDefaultHostAuthentication is commented out. Is that intentional? The thread emphasizes its importance to avoid needed to mitigate XSRF yourself. I am in a similar boat. I started this journey with the MVC sample which was great but I also need to expose several API end points for user registration for my identity provider. I have heavily customized the views (displaying custom user logins based on the originating source) and it is all working great except for the melding of the API using UseIdentityServerBearerTokenAuthentication and the MVC front end using UseOpenIdConnectAuthentication. |
It's months since I've looked at this so I can't remember. My sample is
|
Can anybody point me in the direction of the working sample with separate configurations for MVC and WebAPI using IdS? |
@bychkov have you looked at the clients solution (from the samples repo)? this shows an API project and many many client applications. They're all designed to work with the sample host for idsvr from the idsvr repo. |
I've been struggling with getting my api to read the bearer tokens coming in my from angular app. I've followed the suggestions here, but when the api call is made via angular to the api it only lets me reach the api if I use the AllowAnonymous attribute. Once inside the Principal Identity looks to have 1 item, but it is missing all related claims and authenticated is false. If I try to use the Authorize attribute or ResourceAuthorization attribute both do not work and result in a 401 returned to the app. The API is separated from the hosting MVC app and mapped in via the OWIN AppBuilder Map. I followed the above suggestions, but I'm not getting the same results. Using fiddler I can see the bearer token in the Http request so I know that it is reaching the server. Any ideas on how to further troubleshoot this? I'm at a loss. I had this issue open as well. It is for the same issue, but I originally though there was a problem with the ResourceAuthorization attribute. After pulling down the source and stepping in to the CheckAccess I found the Principal was not being set correctly which was causing the failure. https://github.com/IdentityModel/Thinktecture.IdentityModel/issues/122 Ideas anyone? Thanks in advance. |
One more note. I've scrubbed through all the sample projects trying to find one with a similar structure. Is it possible this issue stems from my API project being a separate class library vs. a hostable API project? I originally saw this structure used in the Identity Manager and liked how it allowed for project separation, but still ran as part of the hosting project. It would be similar to how the identity server is a Mapped into a web project. |
The question is all in the title really.
I've got a single page app that I'd like to serve using MVC. It calls an API that I'd like to include in the same application so that we don't have to deal with CORS. It seems an un-necessary extra HTTP request to call OPTIONS when I can host the API in the same MVC site.
Is it possible to have API controllers and MVC controllers in the same project and have the API controllers authenticated using a token and MVC controllers authenticated using a cookie?
I've noticed the following in the WebApiConfig class of a new WebAPI project.
This method isn't available in my combination project, presumably because it's got a later version of OWIN.OAuth package.
The text was updated successfully, but these errors were encountered: