How to pass JWT token of Logged-IN user in API call via script

pankajv82 · February 3, 2022, 2:10am

I am using Squidex Identity server to protect API calls so we need to pass JWT token on each API call. I have some custom script which run on content change and I want to pass JWT token of logged-in user in the API call.

I can see ctx.user.id, ctx.user.claims etc available. Is there a way to get hold of token which I can pass?

var url = ‘https://myapi.typicode.com/todos/1’;
var headers = {
Authorization: Bearer 'Token’
};

getJSON(url, function(result) {

}, headers);

Sebastian · February 3, 2022, 6:19am

It is not possible because at the moment. Because the scripts do not necessarily run in the context of a http request.

Sebastian · February 3, 2022, 10:06am

The question is: What token? The normal token is only usable in the context of the Squidex frontend.

pankajv82 · February 3, 2022, 2:04pm

I am talking about below token which is currently being passed on /api, /schema calls. I am able to use same token to get Content also via API calls. I captured from network tab. I thought if somehow I can access this token in Scripting and pass it to outgoing API call in header.

Sebastian · February 3, 2022, 2:37pm

Yes, but a lot of scripts to do not run in the context of a request.

But in your profile you can create a permanent access key and secret, which can be used for authorization.

pankajv82 · February 3, 2022, 3:15pm

You mean, ClientId/Secret , right?

Sebastian · February 3, 2022, 3:29pm

Yes, sorry, this is what I mean.

pankajv82 · February 3, 2022, 3:34pm

Sure, thanks. I will go with this option.

pankajv82 · February 3, 2022, 5:33pm

Looks like we only have GET method but https://squidexserver/identity-server/connect/token is a POST operation.

getJSON(url, function(result) {

}, headers);

Sebastian · February 3, 2022, 7:09pm

Yes, you are right. Perhaps I can provide another solution and write an extension to create a token from a user id or something like that. But I am not sure which security implications it has.

Is there no other way? I am mean if the API is in the same network can you just not allow internal traffic?

pankajv82 · February 3, 2022, 7:15pm

Ok, API and Squidex are not in same network and that’s why I wanted to do this. I will figure out something else. No worries.

Sebastian · February 3, 2022, 7:19pm

You can use a second authorization and implement a simple API key. I have done this as well, takes only a few hours.

I am not sure if you use ASP.NET Core, you can add several authentication methods and then write a policy authorization schema which selects the actual schema based on header values and so on, e.g. use ApIKey if defined, or Bearer Token otherwise:

github.com

notifo-io/notifo/blob/main/backend/src/Notifo.Identity/IdentityServiceExtensions.cs#L53



services.AddSingletonAs<DefaultUserResolver>()
    .As<IUserResolver>();

services.AddScopedAs<DefaultUserService>()
    .As<IUserService>();

services.AddMyOpenIdDict();
services.AddAuthorization();
services.AddAuthentication()
   .AddPolicyScheme(Constants.IdentityServerOrApiKeyScheme, null, options =>
    {
        options.ForwardDefaultSelector = context =>
        {
            if (ApiKeyHandler.IsApiKey(context.Request, out _))
            {
                return ApiKeyDefaults.AuthenticationScheme;
            }

            return OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme;
        };

pankajv82 · February 3, 2022, 7:33pm

I was already thinking about ApiKey approach