Search code examples
asp.netasp.net-coreaccess-tokenidentityserver4

How to get the access_token shared between Asp.Net and Asp.Net Core applications

I am using Identity Server 4 to provide access to multiple applications, some of which are Asp.Net Core, some are classic Asp.Net (MVC & WebForms).

The applications need to share their cookie due to the design of the old WebForms application (basically the API is 'in' the Web App, so it is protected by the Web App's cookie based authentiation). I'm using Data Protection to achieve the cookie sharing but this creates a separate issue.

If I login via the Core application and then navigate to the WebForms application, I don't know how to get the access_token to make calls to other APIs.

In the Core application I can retreive it from the HttpContext:

_httpContextAccessor.HttpContext.GetTokenAsync(AuthConstants.AccessToken).Result

What is the equivalent method to get the access_token in WebForms?

For context this is my configuration for the Core application authentication:

JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

services
.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
{
    options.Cookie = new CookieBuilder
    {
        Domain = configuration.CookieDomain,
        HttpOnly = configuration.CookieHttpOnly,
        Name = configuration.CookieName
    };
    options.ExpireTimeSpan = configuration.AuthTimeout;
    options.SlidingExpiration = configuration.AllowSlidingAuthTimeout;
    options.DataProtectionProvider = DataProtectionProvider.Create
    (
        new DirectoryInfo(configuration.DataProtectionKeyDirectory)
    );
})
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
    options.Authority = configuration.AuthorizationServerUri;
    options.RequireHttpsMetadata = configuration.RequireHttps;

    options.ClientId = configuration.Client;
    options.ClientSecret = configuration.Secret;

    options.ResponseType = configuration.ResponseType;

    options.Scope.Clear();
    foreach (var resource in configuration.Scope.Split(" "))
        options.Scope.Add(resource);

    options.SignedOutRedirectUri = configuration.RedirectUri;
    options.UseTokenLifetime = configuration.UseAuthServerLifetime;

    options.SaveTokens = true;

    options.TokenValidationParameters = new TokenValidationParameters
    {
        NameClaimType = JwtClaimTypes.Name,
        RoleClaimType = JwtClaimTypes.Role
    };
});
Solution

  • Just to close this out I did not find the answer I was looking for and ended up separating the API into it's own service as should have been done originally. That nullified this issue.