Enabling downstream api calls before login (and other related issues) #4902
Unanswered
Justincale
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi guys,
I am integrating an existing system into oqtane as a set of modules. The whole things consists of:
What i am struggling with:
The way the oidc and token framework has been implemented in Oqtane means i only get a _siteState.AuthorizationToken if a user has logged in. This is an issue for my implementation, as the API has endpoints which only need information regarding the client and can be called without an authenticated user. Previously, i generate a token by making a client_credentials call to the identity server which would then be passed to the API.
(SLOVED'ish) I am sure this has more to do with my lack of knowledge, but outside of Oqtane access tokens get passed directly to the API as a jwt. Using the oqtane framework the access token gets passed as a claim inside of the jwt (claim type = "access_token"). I kind of understand that from Oqtane's point of view this access token is meant for the api and shouldn't be read by the client, but i am really stuggling to figure out how i decode this in the API? It just comes in as a claim type whose value is an encoded jwt. Shouldn't the claims inside of this jwt be part of my ClaimsPrinciple on the API end? As i say, i think this is due to my poor knowledge of these things, but any help here would be greatly appreciated as it's driving me nuts.
The above point 2 was solved by reading the access_token claim on the client side from "_accessor.HttpContext.User.Claims", and setting that as the bearer token of a httpClient. Although this works, i'm still uncertain as to why Oqtane RemoteServiceBase isn't already doing this?
I'm wondering if RemoteServiceBase could be updated to:
Beta Was this translation helpful? Give feedback.
All reactions