User is authenticated but where is the access token?


December 2018


402 time


I have a web Application which authenticates a user to an Identity Server 4, using an implicit client. I need the access token for this user so that I can make a call to another API.

To be clear:

  1. I have an identity Server. Created using Identity server 4.
  2. I have the web app in question created in Asp .net core mvc.
  3. API created in .net core.

The Web application authenticates the user against the identity server. Once they are authenticated we use bearer tokens to access the API.

 services.TryAddSingleton<IHttpContextAccessor, HttpContextAccessor>();

 services.AddAuthentication(options =>
                options.DefaultScheme = "cookie";
                options.DefaultChallengeScheme = "oidc";
            .AddOpenIdConnect("oidc", options =>
                options.Authority = Configuration["ServiceSettings:IdentityServerEndpoint"];
                options.ClientId = "f91ece52-81cf-4b7b-a296-26356f50841f";
                options.SignInScheme = "cookie";

The user is authenticating fine and i am able to access the controller below. I need an access token for this user so that i can make a request to another API.

public async Task<IActionResult> Index(int clientId, string error)
        ViewData["Title"] = "Secrets";

        if (User.Identity.IsAuthenticated)

         // All of the below attempts result in either null or empty array
         var attempt1 = Request.Headers["Authorization"];
         var attempt2 = await HttpContext.GetTokenAsync("access_token");
         var attempt3 = _httpContextAccessor.HttpContext.Request.Headers["Authorization"];

         var attempt4 = await _httpContextAccessor.HttpContext.GetTokenAsync("access_token");

        return View();

The following does contain a header called cookie. Is there a way of getting the access token out of that?

  var h = _httpContextAccessor.HttpContext.Request.Headers.ToList();

How can i find an access token for the current authenticated user? Using Implicit login.

Note on Hybrid vs implicit login: I cant use hybrid login due to the issue posted here Authentication limit extensive header size As i have not been able to find a solution to that problem a suggestion was to switch to an implicit login rather than hybrid. Implicit does not appear to create the giant cooking the hybrid did.

I have been following this to create the implicit client Getting started with Identityserver 4

2 answers


По умолчанию OpenID Connect промежуточного слоя только запрашивает маркер идентичностиresponse_typeв id_token).

Вы должны сначала обновить ваш OpenIdConnectOptionsсо следующим:

options.ResponseType = "id_token token";

Вы можете сохранить маркера на ваше печенье с помощью:

options.SaveTokens = true;

И, наконец, вы можете получить доступ к фишке с помощью:

await HttpContext.GetTokenAsync("access_token");

Обратите внимание , что вам также необходимо установить AllowAccessTokensViaBrowserфлаг в конфигурации клиента IdentityServer при использовании неявного потока.


Используйте options.SaveTokens = верно , то берите маркер доступа от претензий или использовать HttpContext.GetTokenAsync вот ссылка на BlogPost с примером: