Retrieve access token from a customised header

Question

In my Web API, I want to get the access token from the Cookies header in the request, and then do the validation on the token. At the moment, IdentityServer3.AccessTokenValidation package is used to do the validation of the Bearer token and it looks for the token from the Authorization header only. Preferably I would like to keep using the same bearer token validation process, but getting the token from the Cookies header, does that sound doable with handy codes? Thanks

Answer 1

Just implement your own TokenProvider and provide it to the AccessTokenValidationMiddleware:

public class MyCustomTokenProvider : IOAuthBearerAuthenticationProvider
{
    public Task RequestToken(OAuthRequestTokenContext context)
    {
        if (context.Token == null)
        {
            //try get from cookie
            var tokenCookie = context.Request.Cookies["myCookieName"];

            if (tokenCookie != null)
            {
                context.Token = tokenCookie;
            }
        }

        return Task.FromResult(0);
    }

    public Task ValidateIdentity(OAuthValidateIdentityContext context)
    {
        throw new NotImplementedException();
    }

    public Task ApplyChallenge(OAuthChallengeContext context)
    {
        throw new NotImplementedException();
    }
}

In your Startup.cs:

app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
    Authority = "http://myhost",
    RequiredScopes = new[] { "my-scope" },
    TokenProvider = new MyCustomTokenProvider()
});