Hi,
It's understood that when making update or create requests we need to include the request digest value for security reasons. From what I have researched, there is no way to get a valid request digest value to the browser for making rest calls with Javascript which would limit provider hosted apps to using service side code when creating or making updates. This seems like a major limitation for clients who prefer the freedom of provider hosted apps, and still want to write in javascript.
In SharePoint-hosted apps when on the appWeb we can use $("#__REQUESTDIGEST").val()
In SharePoint-hosted apps when using an AppPart rendering an iframe we can make a request to the <appWeb>/_api/contextinfo service endpoint.
In Provider-Hosted apps there does not seem a way to get this value just using javascript. I have tried 2 different solutions to get the request digest value:
1. Use cross-domain library to request the contextinfo similarly to how you would in a sharepoint-hosted app.
It would seem that you could force an appWeb to be created for the provider-hosted app and then use the cross-domain library to hit the api/contextinfo endpoint as a similar process to the Sharepoint-hosted apps; however, this does not work. The request from the cross-domain library says the api/contextinfo endpoint is not found.
2. Expose a service in the provider-hosted app which makes the request to the contextinfo endpoint from the server and returns the value to the client.
I added a WebAPI controller which exposes a service that retrieves the request digest value. This actually does retrieve a request digest value; however, when attempting to use this in the header of future calls I receive the error: "The security validation for this page is invalid and might be corrupted. Please use your web browser's Back button to try your operation again.". I'm likely guessing that the request digest value is tracking that it was requested by the server, but the future requests made with it are from the browser which might be an acceptable reason to be invalid.
I have created a post on StackOverflow question with more detailed information outlining what appears to me as a major limitation: http://stackoverflow.com/questions/22159609/how-to-get-request-digest-value-from-provider-hosted-app
Can anyone please confirm that making REST calls with javascript which require request-digest values should not be possible in a provider-hosted app? If it is possible, can you please provide a sample showing a REST call made from javascript using a request digest value in a provider-hosted application.