Requesting token directly from IdentityServer3 via Javascript using username/password

Question

I am trying to make use of IdentityServer3 but none of the flows seem to fit what I would like to accomplish

1. Single Page Application (SPA) written only in HTML and Javascript attempts to access an protected API endpoint (ASP.NET Web API v2 in this case).
2. An HTTP 401 is returned because the API endpoint is protected
3. The SPA requests a token directly from IdentityServer passing in a username and password
4. IdentityServer3 passes back an authorization token that includes the username and the claims associated with the username
5. The SPA again attempts to access the API endpoint but passes the bearer token in the header and is allowed access
6. Lastly, I would like to implement refresh tokens so the SPA does not have to submit the username and password a second time.

Flows I have looked at:

Implicit Flow - Involves a redirect to the IdentityServer as a means to authenticate who is making the request. I would like to directly authenticate with the IdentityServer. Also with IdentityServer3 after login a page is presented with a consent page asking the user if they want to share this info. Since this is an internal login applicable to only the API in question this seems out of place.

Resource Owner Flow - My understanding is that this flow requires a client_secret which would be impossible to keep secret in a SPA

Perhaps I am making this more complicated than need be but none of the examples I have found seem to adhere to the steps steps I have outlined above. Is it possible using IdentityServer3?

Answer 1

If the client app collects the username/password, then you're using resource owner password flow. But by using that flow, you miss out on single sign-on and any other signin workflow features you've coded in IdentityServer.

The recommended approach is implicit flow where you redirect to IdentityServer. The consent screen displayed by IdentityServer can be disabled (this is a per-client configuration setting).