Regarding access token and refresh token Consider the access token to be a “dirty” token. Token you share a lot. I does not have to be one server you pass the token to, can be many. Because of this the attack surface rises. If one server does something stupid like writing tokens into server logs … Read more
Creating a fetch wrapper could solve your problem: function updateOptions(options) { const update = { …options }; if (localStorage.jwt) { update.headers = { …update.headers, Authorization: `Bearer ${localStorage.jwt}`, }; } return update; } export default function fetcher(url, options) { return fetch(url, updateOptions(options)); } You also get the added benefit of being able to switch your request … Read more
So it seems like pretty common issue. The point is to remove mex from your bindings: <endpoint address=”mex” binding=”mexHttpBinding” name=”mex” contract=”IMetadataExchange”></endpoint> Alternativelly you enable Anonymous access in IIS and in your web.config you make sure anonymous access is denied. Hope this will help some other soul. (I was 100% sure I tried it with mex … Read more
I suggest to use HttpInterceptor for setting default HTTP headers on outgoing requests rather than adding an additional HTTP header to each call. HTTP Client – Setting default headers @ angular.io In your example you can do the following: import { Http, Headers, Response } from ‘@angular/http’; getLoggedInUser(auth_token): Observable<any> { const headers = new Headers({ … Read more
The API allows you to set exactly one header, namely Sec-WebSocket-Protocol, i.e. the application specific subprotocol. You could use this header for passing the bearer token. For example: new WebSocket(“ws://www.example.com/socketserver”, [“access_token”, “3gn11Ft0Me8lkqqW2/5uFQ=”]); The server is expected to accept one of the protocols, so for the example above, you can just validate the token and respond … Read more
I’m in the same boat as you – I’ve always hated the RoleProviders. Yeah, they’re great if you want to get things up and running for a small website, but they’re not very realistic. The major downside I’ve always found is that they tie you directly to ASP.NET. The way I went for a recent … Read more
UPDATE (Jun 2015): @daniel-lidström has correctly pointed out that you should not use Response.Redirect in an ASP.NET MVC application. For more information about why, please see this link: Response.Redirect and ASP.NET MVC – Do Not Mix. UPDATE (Sep 2014): I’m not sure when HandleUnauthorizedRequest was added to the AuthorizeAttribute, but either way I’ve been able … Read more
OAauth2 framework docs : https://www.rfc-editor.org/rfc/rfc6749 (A) The client requests an access token by authenticating with the authorization server and presenting an authorization grant. (B) The authorization server authenticates the client and validates the authorization grant, and if valid, issues an access token and a refresh token. (C) The client makes a protected resource request to … Read more
For token based auth: $token = null; $headers = apache_request_headers(); if(isset($headers[‘Authorization’])){ $matches = array(); preg_match(‘/Token token=”(.*)”https://stackoverflow.com/”, $headers[‘Authorization’], $matches); if(isset($matches[1])){ $token = $matches[1]; } }
This is an sample restclient class public class RestClient { public enum RequestMethod { GET, POST } public int responseCode=0; public String message; public String response; public void Execute(RequestMethod method,String url,ArrayList<NameValuePair> headers,ArrayList<NameValuePair> params) throws Exception { switch (method) { case GET: { // add parameters String combinedParams = “”; if (params!=null) { combinedParams += “?”; … Read more