Hello,
I am new to OpenIddict. recently had a chance to work with this framework and decided to extend OpenIddict server UI (used ASP.NET Core 3.1 and latest OpenIddict)
Added one more page to display the list of all registered applications. ( used https://datatables.net/ grid to visualise this list)
The grid gets data from a server using ajax, it is all worked fine on localhost until I placed this code under IIS server. Now main UI works fine, but grid can’t obtain data from server using ajax, it is getting “Unauthorized” response! If I manually open ajax url in a browser last one asking me to enter credentials again and after that grid works fine!.
The code is very simple, controller has HTTPGet function which returns json reponse. Grid using ajax such:
ajax: {
url: subDomainPrefix + '//ClientApplication/List',
xhrFields: { withCredentials: true },
cache: false,
type: "GET",
dataType: "json"
}
Would be really appreciated if anybody could advise how to fix it.
Hey,
How do you attach the bearer token to your AJAX request? withCredentials: true is generally used for cookie authentication, not token authentication.
Ok, this is what I missed. Got two questions in this case - how can I attach the bearer token to the ajax header request?
Is that correct way of doing this:
headers: { Authorization: 'Bearer '+token } ?
Also how can I expose the token on client side?
For question 1: check the documents for your JavaScript library.
For question 2: use your JavaScript library to request a token from the token endpoint, for example, via the hybrid flow.
Someone may suggest you use the code flow or password flow. But remember that, a public (like a SPA or traditional Browser Frontend) client cannot hold the client secret.
@kinosang FYI, the code and password flows can also be used by public clients without having to send a secret (even a fake one) 😃
thank you for the advises. Basically i tried to extend Aridka example (server part), I thought if User already authorised on a server the browser should keep valid token and I could extract it and reuse in my ajax request.
Most helpful comment
@kinosang FYI, the code and password flows can also be used by public clients without having to send a secret (even a fake one) 😃