Request access token to call a web services

This article describes how to use access tokens in HTTP requests to access protected resources such as Sitefinity Web API. You need to perform the following:

1. Register your app in the Security Token Service, based on IdentityServer3.
2. Within your app, acquire an access token from the STS.
3. Add an authorization header Bearer access_token and call the Sitefinity Web API.

Following are two samples demonstrating how to configure your applications with Sitefinity CMS and acquire an access token using the Resource owner flow and the Implicit flow. You can also take a look at the sample MVC application, which can obtain access tokens from Sitefinity CMS with implicit flow and can call the Sitefinity CMS Web API at the GitHub repository.

Perform the following:

1. Navigate to Administration » Settings » Advanced.
2. In the left pane, expand Authentication » SecurityTokenService » IdentityServer.
3. Click Clients » Create new.
4. Fill out the required fields.
   For example, enter the following:
   1. In Client name, enter testApp
   2. In Client Id, enter testApp
   3. Select Enabled checkbox.
   4. In Client flow dropdown box, select ResourceOwner.
   5. Select Allow access to all scopes checkbox.
   6. Save your changes.
5. Expand the newly created client.
6. Select Client secret and click Create new.
   1. Enter a secret.
      For example, enter secret
   2. Save your changes.
7. Select Allow cors origins and click Create new.
   1. Enter the origin that can request tokens from the STS.
      For example, enter http://your-site.com
   2. Save your changes.
8. Expand Authentication » SecurityTokenService » IdentityServer.
9. Select Scopes and click Create new.
   1. In Scope name, enter offline_access
   2. In Scope type, enter Resource
10. Save your changes
11. To request a token for accessing a protected web services resource, you can use one of the following code samples:
    • JavaScript
      You also need to add the Access-Control-Allow-Origin header to the web.config file and register the domains that can request access tokens. You can register a single domain or allow all domains to request an access token.
      
    • C#
       

      NOTE: If you have an external project, you must install the official IdentityModel NuGet package. You do not need to do this, if you have already installed Progress.Sitefinity.Authentication NuGet package

For more information about Endpoints, supported by IdentityServer 3, see the following:

• Token Endpoints
• UserInfo Endpoint
• Token Revocation

Perform the following:

1. Navigate to Administration » Settings » Advanced.
2. In the left pane, expand Authentication » SecurityTokenService » IdentityServer.
3. Click Clients » Create new.
4. Fill out the required fields.
   For example, enter the following:
   1. In Client name, enter testApp
   2. In Client Id, enter testApp
   3. Select Enabled checkbox.
   4. In Client flow dropdown box, select Implicit
   5. Save your changes.
5. Expand the newly created client, select RedirectUris and click Create new.
   Enter the URL of your external app and save your changes.
6. Select PostLogoutRedirectUris and click Create new.
   Enter the URL of your external app and save your changes.
7. Using Visual Studio, create an MVC app that uses No authentication.
8. Install following NuGet packages:
   • Microsoft.Owin
   • Microsoft.Owin.Host.SystemWeb
   • Microsoft.Owin.Security.Cookies
   • Microsoft.Owin.Security.Cookies
   • Microsoft.Owin.Security.OpenIdConnect 
9. Create a Startup.cs class and add the code inside:

   NOTE: You can configure the STS endpoint to be different from http://yoursitefinitysite/Sitefinity/Authenticate/OpenID/connect.
   To do this, navigate to Administration » Settings » Advanced » Authentication » SecurityTokenService » ServicePath.