token retrieval from header or qs

src/Api/Startup.cs

@@ -17,6 +17,7 @@ using Bit.Core.Utilities;
 using IdentityModel;
 using IdentityServer4.AccessTokenValidation;
 using jsreport.AspNetCore;
+using Bit.Core.IdentityServer;
 
 namespace Bit.Api
 {
@@ -79,6 +80,7 @@ namespace Bit.Api
                     options.Authority = globalSettings.BaseServiceUri.InternalIdentity;
                     options.RequireHttpsMetadata = !Environment.IsDevelopment() &&
                         globalSettings.BaseServiceUri.InternalIdentity.StartsWith("https");
+                    options.TokenRetriever = TokenRetrieval.FromAuthorizationHeaderOrQueryString();
                     options.NameClaimType = ClaimTypes.Email;
                     options.SupportedTokens = SupportedTokens.Jwt;
                 });

src/Core/IdentityServer/TokenRetrieval.cs

@@ -0,0 +1,32 @@
+using Microsoft.AspNetCore.Http;
+using System;
+using System.Linq;
+
+namespace Bit.Core.IdentityServer
+{
+    public static class TokenRetrieval
+    {
+        private static string _headerScheme = "Bearer ";
+        private static string _queuryScheme = "access_token";
+        private static string _authHeader = "Authorization";
+
+        public static Func<HttpRequest, string> FromAuthorizationHeaderOrQueryString()
+        {
+            return (request) =>
+            {
+                var authorization = request.Headers[_authHeader].FirstOrDefault();
+                if(string.IsNullOrWhiteSpace(authorization))
+                {
+                    return request.Query[_queuryScheme].FirstOrDefault();
+                }
+
+                if(authorization.StartsWith(_headerScheme, StringComparison.OrdinalIgnoreCase))
+                {
+                    return authorization.Substring(_headerScheme.Length).Trim();
+                }
+
+                return null;
+            };
+        }
+    }
+}