AJAX calls within MVC and Identity Server

Question

I have been playing with Thinktecture IdentityServer3 and am keen to use it as the product looks great. However, I don't fully understand how to accomplish my flow which is probably fairly common:

• Create Identity Server using Implicit flow
• Setup an MVC web site
• Setup a separate Web API

So far so good, as demonstrated in the examples on the site. I now wish to call the API using AJAX calls directly but for this i need an access token. It seems like a large overhead to have to route these through the MVC site itself (again, in the examples).

How can I accomplish this flow? Would it essentially blend the MVC and Javascript Client samples or is there a smoother way so the user only has to sign in once? Perhaps send the access token in a hidden field but then how would it renew?

Any help on understanding this would be great.

Answer 1

I've managed to come up with a solution which seems to work, not sure if it's best practice though...

• Expose a method on the MVC site at AJAX/AccessToken
• Method should be locked down with Authorize attribute to ensure the MVC part of the site is authenticating properly with IdentityServer
• Method returns the users Access Token which was generated through the above call via MVC controllers
• In JavaScript, simply use this endpoint to get an Access Token and then call the API manually
• The call to get the Access Token should be secure as its within the same domain/authentication model as the MVC site itself

I've put up a sample here for anyone interested: OIDC-Website