pass openid-connect oauth2 bearer token in header

Peter Lea picture Peter Lea · Oct 8, 2014 · Viewed 8.1k times · Source

Background

I've implemented the Thinktecture.IdentityServer.V3 (the openID Connect one). I've got the OAuth2 bearer token returned to my javascript client (implicit flow) in the form:

{
  "id_token": "eyJ0eXAiOiJKV1QiLCJh...",  // JWT
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1Ni..", // JWT
  "token_type": "Bearer",
  "expires_in": "3600",
  "scope": "openid profile read write email",
  "state": "1299139105028949"
}

but in all the examples they only pass the access_token to the resource provider when calling the service.

 $.ajax({
         url: 'http://localhost:2727/Account/123/Get',
         headers: {
              Authorization: "Bearer " + $scope.response.access_token
             }
         })

Assumption

If i've got this right, I Authenticate with the access token. Then I Authorize based on claims in the id_token (I don't want to make a separate DB call - I want it fully self-contained).

Question

How would I pass this information to my webapi2 endpoint via ajax (assume i've set up CORS etc) and what middleware would I have to hook up to validate it? (i'm guessing one of the Token Validators and a claimsManager but there's So many I can't decide which one is the right one to use).

Help very much appreciated

Answer

leastprivilege picture leastprivilege · Oct 8, 2014

The id_token is for the client - it has to be validated by the client (or by the identity token validation endpoint in idsrv if the client does not have the necessary crypto libraries). Afterwards you use the access token to access the resource.