Letting a pure HTML/CSS/JS SPA application ask the user for his username/password and pass it to ADFS?

Question

I'm writing a fairly large application, with a HTML/CSS/JS frontend, using AngularJS and a ASP.NET MVC Web API as a backend.

I would like users to be able to authenticate, I've installed ThinkTecture AuthorizationServer on a separate machine, and there is an ADFS instance running on the Domain Controller. Currently, I'm using the web page supplied with ADFS for login, but it would be nice if I could use my own page, which would ask for the username/password combo, pass it to AuthorizationServer/ADFS, and then just use the authentication token after that.

Has anyone done something similar?

Regards, Daníel

Answer 1

In fact you user will be log in your SPA then you have a server side (Java or .NET or *) that get this request.

The server ask the token to ADFS , ADFS send the token and your server pass the token to AngularJS in the response via a cookie.

In Angular side nothing to do expect an http interceptor to check the status of the response (401,403) ...

The cookie will be resent automatically by AngularJS in each request if you want to know how implements an htppInterceptor on AngularJS just check :

AngularJs -.net MVC WebApi Authentication example

In this thread i explain how to implements this step.

Anyway : your SPA is a RIA ok but still the client part of a webapp. I don't think that it's really good (i think it's really bad) to let the client part contact directly the ADFS ... How to prevent Man-In-The-Middle if you do that ?