3

So I have got all my auth working in my MVC web site but I want to ask: What is the recommended way to pass the access token around in my application?

So, I click login, a dialog pops up and I log in. My parent window receives the access token and I get some playlists. But what if I go to another page, which would be a completely new request? Do I pass it around on the query string, or in session, or maybe a cookie? I have searched the API documentation for this, but cant find anything about it.

TylerH
  • 19,065
  • 49
  • 65
  • 86
RuSs
  • 1,463
  • 19
  • 42

2 Answers2

3

I would say you should store it in the side from which you are making the requests. If the requests are done client-side, then keep the access token client-side. You can persist it using localStorage, as done in the web api player example. That way you can read from localStorage when you need to make a request and use it until it expires.

Then, if you have used the authorization code flow you will want to refresh it, so the user doesn't need to log in every 60 minutes. For this, you will need to make a request from your server, since the refresh process involves sending a secret that you don't want to make available in the browser. You can store the refresh token in the server (e.g. in a database table storing user <-> refresh token) or in the browser's localStorage too, sending it to the server when you want to refresh it.

You could also store it as a cookie, but if the server doesn't need to know about it, localStorage is better.

José M. Pérez
  • 3,053
  • 19
  • 36
0

I think the Identity will be holding all the details about the logged in User. If anything we want extra , we can extend it.

Below link may help : http://www.codeproject.com/Tips/574576/How-to-implement-a-custom-IPrincipal-in-ASP-NET-MV

Dreamweaver
  • 1,175
  • 8
  • 21