Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Question on web api 2 #607

WilliamDoman opened this Issue · 4 comments

2 participants


I have a mvc website using identity server for authentication. Its setup using a saml2 token and has been very stable and works well for a while now. Thank you!!!

Now we would like to expand a little with the token security.

I would like to setup a Web API project. What is the mechanics to let the mvc site use the api? Its "cached" on the server side with all the claims. How is a token passed or re-authenticated?

We would also like to open the api up to approved out side applications (Partners). I think that follows under the authorization server, but what type of flow or logic path would I need to investigate such that the outside partner would have a token (client secret?) of some sort that identified the partner and a user login and password to identify the person? I don't want the prompt. It seems really odd in a business to business scenario.



token is passed through the header.

It sounds like you want resourceownerpasswordflow on the outside applications (partners) stuff, so you may want to use IdSrv for your apps in-house, and AuthSrv for your 3rd party partners. You can then apply scopes to their integration and what areas of the system they can/cannot access to get a rough cut of what they can do. You'll probably have to do finer grained permissions within your application, as we did, but the scopes give a nice rough-cut of things.


@dealproc, Sorry I'm a bit new to this.

As for token is passed through the header, does you mean I would send down the saml token to the browser and send it back in something like a ajax header? Wouldn't I want that to be a jwt bearer token instead? Can I convert tokens?

Something like

 beforeSend: function (xhr) {
                    xhr.setRequestHeader("Authorization", scheme + " " + token);

Or on the server side, I would create an http client and something like this? (Not tested)

            var client = new HttpClient
                BaseAddress = _baseAddress
            client.SetToken("SAML", token)
            // or this but I don't have a bearer

I'll have to look at the resourceownerpasswordflow stuff. For my clarity, I thought scopes were essentially permissions but you speak about them as if they are a bit higher. If that's the case, what gives you the more precise permissions? With auth server can I still have something like a claimsAuthorizationManager ?? In one of the examples I saw these attributes. Is that the magic?

        [ResourceActionAuthorize("action", "resource")]
        public string Get()
            return "ok";
@WilliamDoman WilliamDoman reopened this

Sorry... if you're doing this with a javascript application, that is Implicit authorization, as i recall. You have to redirect your app to either Identity Server or Authorization server, and when that system redirects back to your *.js app, you have to capture the token it puts in the querystring and subequently post that token to your web service (as you have shown).

Scopes, from my understanding thus far (I'm new to all of this as well... @brockallen or @leastprivilege correct me if i am wrong here) are a rough-cut of permissions... basically saying, for third party API users, what portions of the site that the 3rd party is permitted access to. You then implement the ClaimsAuthorizationManager with your custom logic so you can get finer grained permissions on your site. You may even need to employ a ClaimsTranformation on the initial token as part of the pipeline to get to your service, so you can properly load up the right permissions, per application.

We had to do custom work with claims transformation, since we needed to have really crazy fine grained control of permissions per action (e.g. i can only act on account 'x' and run reports, but account 'y', i am an administrator of.)

I know Brock/Dominick have a lot on their respective blogs on most of what you are struggling with... most of it is a good read, and a good starting point.


I'm not sure yet how they want to go from the MVC website to the API yet. JS or Controller actions, so I was questioning both. =)

I'm been reading the blogs, and watching the videos and I agree, great stuff. VERY GRATEFUL of Brock and Leastprivilege .

I will continue to muddle with your suggestions. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.