[Question] - How to use ASP.NET Core MVC with Angular using Identity Server 4 to connect to web API

[praneethw]

Hi,

I am in the process of developing an application that has an MVC core app that simply loads the angular application. The angular application will then connect to a Web API to perform CRUD operations.

Im aware its possible to use cookie authentication in conjuction with odic hybrid flow to generate a cookie, but not sure how the angular app can get a reference to the access token and renew it when it expires in order to connect to my web api.

I read through this article https://damienbod.com/2017/05/06/secure-asp-net-core-mvc-with-angular-using-identityserver4-openid-connect-hybrid-flow/ and watched this video https://www.youtube.com/watch?v=5OUQZAvxZuA&feature=youtu.be&t=30m40s but none of it explains how the angular app can get a hold of the access token to query other APIs.

I would greatly appreciate if someone of you could explain the best procedure to gain access to the access token, and also periodically renew it using the refresh token.

[jimbo74]

We are doing something similar, we are using the oidc_client with the implicit flow which seems to be the best fit in this situation. Note that you don't get refresh tokens with this flow so we are using long live reference tokens.
Look at the javascript example in the samples repo for help

[praneethw]

I am currently using odic_client at the moment with silent renew. But based on how odic_client works i have to enable AllowAccessTokensViaBrowser = true, and it exposes the token via URL over the network regardless of HTTP or HTTPS, which I dont seem to quite fancy as shown in bold below.

http://localhost:5002/auth/login#
id_token=<id_token>&
access_token=<access_token>&
token_type=Bearer&
expires_in=3600&
scope=openid%20profile%20webapi&
state=&
session_state=<session_state>&

Since I have my angular app served up through an MVC app, with angular fallback routes configured, I am looking forward for a much more robust approach of dealing with this issue, similart to what I see when the user logs in this video https://github.com/IdentityServer/IdentityServer4/issues/url.

Hence what I am in dire need is to know if I move on to use HybridFlow, together with an MVC backed angular app, how can I do it in a much more secure way via odic cookie auth or by any other means, such that the MVC app can pass back the token to the client app so that it can invoke the WEB api when required. Any direction on token refresh is also greatly appreciated.

[brockallen]

This seems to be a general question about IdentityServer - not a bug report or an issue.

Please use StackOverflow for that. This has the advantage that questions and answers can be easily found by search engines, and that there are more people answering questions than just us.

For IdentityServer3
https://stackoverflow.com/questions/tagged/?tagnames=identityserver3&sort=newest

For IdentityServer4
https://stackoverflow.com/questions/tagged/?tagnames=identityserver4&sort=newest

For commercial support
https://identityserver.io/

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.