Skip to content
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.

In the MVC CodeFlowClient Manual where is it storing the Token Information #504

Closed
skatukojwala opened this issue Nov 7, 2014 · 4 comments
Assignees
Labels

Comments

@skatukojwala
Copy link

I am trying to understand how this Code Flow is working with Flows.AuthorizationCode. Once the client "MVC CodeFlowClient" Authenticates User where is it storing the ID Token and Access-Token Information for subsequent requests. From the Client Configuration it looks it is using AccessTokenType = AccessTokenType.Reference. How does this reference token works?.

When the controller is created to call the service, I see that we are getting Access Token from Claims Principal. How is this Claims Principal getting created with this information?. As far as I understand the ClaimsPricipal is only valid per HTTP Request Session, How is this Claims Principal with token information is getting created.

var principal = User as ClaimsPrincipal;
var client = new HttpClient();
client.SetBearerToken(principal.FindFirst("access_token").Value);

Any insight into this would be helpful. By any chance is this information stored in the Cookie?.

Also The sample seems to be failing to call the service with 401 Unauthorized HTTP responses error, Do we need to setup something to get the sample working?.

@leastprivilege
Copy link
Member

Yes the information is stored in the cookie. The ClaimsPrincipal gets automatically created from the claims in the cookie on every request.

The sample API requires a scope of 'read' or 'write' - when you request one of those scopes, you should be able to call it.

@skatukojwala
Copy link
Author

Thank you for the response.
We came across some interesting information about Cookies http://sitr.us/2011/08/26/cookies-are-bad-for-you.html and trying to see if there any different mechanism that we can use these tokens.

@leastprivilege
Copy link
Member

I think you are confusing the mechanisms here. Cookies are indeed not recommended for authenticating API access. I am using the cookie as a state management mechanism.

@skatukojwala
Copy link
Author

Sure, I got that. Thank you.

The ClaimsPrincipal holds state information like Access-Token and Claims etc., and this is later saved into cookie which is later used in subsequent requests.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

2 participants