I have a Web API 2 OData v3 service that is secured with IdentityServer Bearer Token Authentication / Access Token Validation. The client is a SPA application. I successfully use the oidc-token-manager.js library to authenticate and to pass in the access token in the Authorization http header to regular odata crud operations using XMLHttpRequest.
My odata service also supports streaming for uploading and downloading files. Again, for uploading files I can pass in the access token in the Authorization http header using XMLHttpRequest.
However, to download a file I would like to use an anchor tag with an href (an odata file download url is typically of the format /odata/myfiles(1)/$value). When the user clicks on the link it should download the file (the odata service adds a content-disposition attachment header to the response).
However, there is no way to add the access token in an Authorization header for this GET request as it's created by the browser. Is it possible to add the access token as a querystring to the url in the href instead (a so-called presigned url)? Is this even a good (secure) idea? On the server I use app.UseIdentityServerBearerTokenAuthentication in my Startup.cs, so is this capable of looking for an access token in a querystring as well as an Authorization http header?
many thanks
Remco
You can register a "Provider" to control the logic of where tokens are expected to be located. For example:
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
// locate the access token from somewhere else
Provider = new OAuthBearerAuthenticationProvider
{
OnRequestToken = async ctx =>
{
ctx.Token = await YourCodeToFindTokenInQueryString(ctx.OwinContext.Environment);
}
},
//
};