I have a single page application (SPA) with a WebAPI and for authentication/authorization I am using OpenId Connect and specifically IdentityServer3 with OidcTokenManager on the client.
So, my SPA talks to the server fine by passing the access/bearer token in the Authorization header for all requests made to the WebAPI.
i.e. Authorization: Bearer ACCESSTOKENGOESHERE
The application also embeds files from the WebAPI into the page. Mainly svg's, pdf's etc. To do this I use an object tag. This doesn't work as the WebAPI requires the Bearer token in the authorization header to authorize the request. I cannot find anyway to pass the bearer token as a request header when the object tags load the file.
Does anyone know how I can pass the authorization header when the object tag makes a request for the files?
In that case it makes sense to provide the access token as a URL query parameter, which is one of the supported methods as listed in: https://www.rfc-editor.org/rfc/rfc6750#section-2 This is assuming that the requests go over secure HTTPs to prevent token leakage, and the Resource Server supports consuming tokens in query parameters.