Hello,
We have an IdentityServer4 based OpenId/OAuth2 server implemented in our infrastructure and now I’m trying to use it to protect access to ServiceStack services using this plugin.
I’ve run into issues making this work with a simple JavaScript client application when the client, the service and the OAuth2 server are deployed on different machines. The service has the Cors plugin included and I can succesfully call an unprotected route from the JS client.
The problem arise when I need to call a protected endpoint since this time I have to execute 2 ajax calls:
- First call to /auth/{provider} for the service to authenticate itself with IdentityServer (it runs in client_credentials mode) and populate the auth session.
- Second call to the protected (through [Authenticate] attribute) route to retrieve the actual information.
This is the client-side script to do that:
$.ajax({
type: 'GET',
crossDomain: true,
url: 'https://web19-dev/sst1/auth/IdentityServer?format=json',
})
.done(function () {
$.ajax({
type: "GET",
crossDomain: true,
url: "https://web19-dev/sst1/secure/buddy?format=json",
xhrFields: {
withCredentials: true
}
})
.done(function (response) {
log(response);
})
.fail(function (jqXHR, textStatus) {
alert("SST1 request failed: " + jqXHR.statusText);
});
})
.fail(function (jqXHR, textStatus) {
alert("Authenticate request failed " + jqXHR.statusText);
});
I see the authentication cookies being sent after the /auth/provider call:
However, they’re not being sent back with the second ajax call, see below:
As a result I get the 401 unauthorized result back. Obviously the whole stuff works fine with everything on a development machine but I’m not able to figure out what am I missing here. Why are the authentication cookies not being preserved after the authentication call?
Thank you!