Cross origin OAuth authentication with ServiceStack

Question

I would like to use my API website for authentication & authorisation of users and ideally keep my UI site purely static content (html, js, css). I have configured ServiceStack's OAuth & OpenId (and credential/basic) providers, so they answer to api.mysite.com/auth/{provider} requests

I would like to be able to users of www.mysite.com to be able to authenticate and then make calls to the API site via ajax.

The BootstrapApi example project - although very useful - demonstrates the API & website running on the same domain.

• Is this possible/secure with a static javascript client?
• Could I share a cookie between sub-domains?
• Could I return the access token to the client and have use it to calculate an Authorization header before each request?

Answer 1

To address your questions -

• Is this possible/secure with a static javascript client? Yes
• Could I share a cookie between sub-domains? Yes
• Could I return the access token to the client and have use it to calculate an Authorization header before each request? Sure but you may as well just use the built in auth cookie.

It's just a matter of setting up your cookies on the top level domain, similar to what's shown @ ServiceStack - Authentication for domain and subdomains