1

I want to be able to download a file from an API call. For argument's sake, let's say it's an automagically generated PDF file.

I have two problems:

  1. Anchor tags can't add Authorization headers to the request, only XHR can.
  2. XHR requests cannot download files.

My solution is to write my API with an [AllowAnonymous] end point in it, which takes the access_token as a parameter. I then validate the access token by hand and return a 401 or stream the PDF.

Is there a better solution than this or, if this is the best solution, how do I validate the access_token within the API?

Chris Kemp
  • 2,069
  • 2
  • 18
  • 27
  • You can use the client credentials OAuth flow. Step one, create Web Api as a client in identityserver3. Step two, use client id and secret to get an access token from the id server. Step three, in the request to the web api add an authorisation header with a "Bearer" token. Look here: http://www.developerhandbook.com/c-sharp/create-restful-api-authentication-using-web-api-jwt/ – TejSoft Aug 16 '17 at 01:53
  • So the problem is more of a javascript/XHR problem than IdSvr? We have an API that returns generated files, and it is a protected endpoint (in the usual way). The return from that endpoint is a `FileContentResult`. Trying to call that endpoint with an AJAX call involves jumping through the usual [javascript-download-a-file](https://stackoverflow.com/questions/16086162/handle-file-download-from-ajax-post) hoops though. – Mashton Aug 17 '17 at 14:19

1 Answers1

0

This approach is totally fine.

If you want to use middleware to validate the token - it depends which middleware you are using. The plain Microsoft JWT bearer middleware has some events you can implement to retrieve the token from a query string alternatively.

The identity server token validation middleware has a TokenRetriever property which also allows you to retrieve the tokens from multiple/alternative locations.

leastprivilege
  • 18,196
  • 1
  • 34
  • 50