User is authenticated but where is the access token?

问题

I have a web Application which authenticates a user to an Identity Server 4, using an implicit client. I need the access token for this user so that I can make a call to another API.

To be clear:

1. I have an identity Server. Created using Identity server 4.
2. I have the web app in question created in Asp .net core mvc.
3. API created in .net core.

The Web application authenticates the user against the identity server. Once they are authenticated we use bearer tokens to access the API.

 services.TryAddSingleton<IHttpContextAccessor, HttpContextAccessor>();

 services.AddAuthentication(options =>
            {
                options.DefaultScheme = "cookie";
                options.DefaultChallengeScheme = "oidc";
            })
            .AddCookie("cookie")
            .AddOpenIdConnect("oidc", options =>
            {
                options.Authority = Configuration["ServiceSettings:IdentityServerEndpoint"];
                options.ClientId = "f91ece52-81cf-4b7b-a296-26356f50841f";
                options.SignInScheme = "cookie";
            });

The user is authenticating fine and i am able to access the controller below. I need an access token for this user so that i can make a request to another API.

[Authorize]
public async Task<IActionResult> Index(int clientId, string error)
{
        ViewData["Title"] = "Secrets";

        if (User.Identity.IsAuthenticated)
        {

         // All of the below attempts result in either null or empty array
         var attempt1 = Request.Headers["Authorization"];
         var attempt2 = await HttpContext.GetTokenAsync("access_token");
         var attempt3 = _httpContextAccessor.HttpContext.Request.Headers["Authorization"];

         var attempt4 = await _httpContextAccessor.HttpContext.GetTokenAsync("access_token");

        }
        return View();
    }

The following does contain a header called cookie. Is there a way of getting the access token out of that?

  var h = _httpContextAccessor.HttpContext.Request.Headers.ToList();

How can i find an access token for the current authenticated user? Using Implicit login.

Note on Hybrid vs implicit login: I cant use hybrid login due to the issue posted here Authentication limit extensive header size As i have not been able to find a solution to that problem a suggestion was to switch to an implicit login rather than hybrid. Implicit does not appear to create the giant cooking the hybrid did.

I have been following this to create the implicit client Getting started with Identityserver 4

回答1:

By default the OpenID Connect middleware only requests an identity token (a response_type of id_token).

You'll need to first update your OpenIdConnectOptions with the following:

options.ResponseType = "id_token token";

You can then save the tokens to your cookie using:

options.SaveTokens = true;

And then finally, you can access the token using:

await HttpContext.GetTokenAsync("access_token");

Note that you will also need to set the AllowAccessTokensViaBrowser flag in your IdentityServer client configuration when using the implicit flow.

回答2:

Use options.SaveTokens = true then grab your access token from the claims or use HttpContext.GetTokenAsync here's the link to the blogpost with example: https://www.jerriepelser.com/blog/accessing-tokens-aspnet-core-2/

来源：https://stackoverflow.com/questions/50566323/user-is-authenticated-but-where-is-the-access-token