Using cookie for resource server authorization
a-a-k opened this issue · comments
Confirm you've already contributed to this project or that you sponsor it
- I confirm I'm a sponsor or a contributor
Version
3.x
Question
I have a separate Auth Server powered with Openiddict and Asp.Net Core MVC as a client on another host. MVC views are combined with AngularJS code, and we can't say it's SPA (legacy code we need to migrate). There is Asp.Net Core Web API as resource server at yet another host. We have our MVC controllers decorated with [Authorize]
attributes, API endpoints protected as well. Resource server getting requested from AngularJS only.
The question is - how can I request some endpoint using MVC auth cookies? I've discovered Zirku project and, as I suppose, I configured introspection for resource server correctly but if I use OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme
it raises an error about "bearer token is missed". If I change scheme to cookie, it gets redirected to login page.
RFC6750 strongly discourages flowing access tokens using cookies due to the CSRF risk: https://datatracker.ietf.org/doc/html/rfc6750#section-5.3
That said, nothing prevents you from writing your own event handler to support that. See https://github.com/openiddict/openiddict-core/blob/80f29a7f546fb7ca3f6481e527f879f7420c6ff2/src/OpenIddict.Validation.AspNetCore/OpenIddictValidationAspNetCoreHandlers.cs#L126-L175 for an example of how it can be extracted.