IdentityServer4 cookie validation

1
votes

I build an Angular 4 site that send authentication details (username/password) to IdentityServer4 and successfully receive a token back (grant type = resource owner password).

Now I want to redirect user to another (different) ASP Core MVC site from my Angular 4 site. Somehow I can not find a way to set up 'headers' in redirection to pass token as a Authorization: Bearer xxx.

I set up cookie in Angular site and then just window.location.href = 'www.example.com/another_site

On MVC site I configure in Startup.cs:

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
        ...
        ...

        app.UseCookieAuthentication(new CookieAuthenticationOptions()
        {
            AuthenticationScheme = "Cookies_Authentication",
            AutomaticAuthenticate = true,
            AutomaticChallenge = true
        });

        app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
        {
            Authority = "http://my_identityserver4_address:49950",
            RequireHttpsMetadata = false,
            AuthenticationScheme = "Cookies_Authentication",

            ApiName = "Protected_Api.get",
            AutomaticAuthenticate = true,
            AutomaticChallenge = true
        });
}

but I'm still receiving 401 Unauthorized response from MVC site. What I'm doing wrong ?

May be IdentityServer looking for special cookie name ? I'm setting it in Angular as:

cookieService.setItem('access_token', 'eyJhbGciOiJSUzI1NiIsImtpZCI6ImFlOWEyMzNhZDczOTUwNWI4YjJkZGE0NTNiMDE........)

2
angularidentityserver4

2 Answers

1
votes

I think you might find your answer here just see how mvc app receiving the token from identity server and just do same thing when redirecting from your angular app. And you need to play around with this example.

UPDATE: @jasper yes you right you need to check the docks on OAuth OPenID thing at https://identityserver4.readthedocs.io also checkout their blog at http://leastprivilege.com

0
votes

If this another MVC app is defined as another client on the auth server you don't have to set up anything else except configuring the cookie and authentication middleware in the startup class, just the way you are doing already.

Basically, If user has logged in from App A and open another App B it doesn't need to re-login as it will be able to validate the existing cookies on the browser. It will just needs to authenticate itself which it will do through back channel.