locked
Knockout.js, MVC Website, Web API, Bearer Tokens and ASPXAUTH Cookie - missing link! RRS feed

  • Question

  • User-331009151 posted

    Hi, I am trying to configure the following individual projects

    MVC Website

    Web API

    Identity 2

    I created the website with no default user account management. (added in minimum forms authentication after)

    I created the Web Api with individual user accounts and configured use with CORS, OWIN, Identity2

    I abstracted the majority of Identity out into Identity 2 project.

    I have managed to get them to almost play nicely. I can login from the web app and perform a call to the web api to authenticate and return a bearer token to my controller which I then use in my FormsAuthentication.SetAuthCookie. This means I have a bearer token available and I have also authenticated the web app.

    Of course the ASPNETAUTH token is http only and so is not available via javascript to get the bearer token within any of my knockout viewes to make calls to the web api. This is where I am stuck. I have a couple of options, I think:

    1. I can write an additional cookie that contains the bearer token and mark it Http only: false so that javascript can access it and then pass it to my API, doesn't smell right though.

    2. I move all of login/register/manage functionality into my web api and get the bearer token that way which I can then store in the browser sessionStorage for passing to my web api but how is the user then authenticated on the web app side with no ASPXAUTH token?

    3. How do I refresh the bearer token (this is general question)?

    4. Anybody got any other ideas/suggestions/examples or links that may help me? Just this missing link is stopping me in my tracks and I am sure there is a simple answer but I am blinded by confusion now.

    Any help greatly appreciated!

    Tuesday, December 6, 2016 8:39 PM

Answers