Authenticated ASP.NET Core MVC site consuming web API

Question

User619969680 posted

Hi,

I have an ASP.NET Core 2.2 MVC site, that uses Facebook as an identity provider. Users can click the login button, they are redirected to Facebook to enter their credentials, and are then redirected back to the site. At that time they are authenticated, and I have a number of claims like name idenfifier, email etc. This works fine.

But now I also want a separate web API, which will be consumed by the MVC site. 

But this web API should of course also be protected, as I want to handle (custom) authorization in the web API; and for that I need to know the identity of the caller.

So my question is: how is this kind of security normally implemented? I guess I have to use a bearer token, which is sent with each call to the web API, but how do i generate this token? What is the architecture that is normally used for this kind of scenario?

Thanks for any hints!

Answer 1

User475983607 posted

What is the architecture that is normally used for this kind of scenario?

A centralized authentication provider like IdentityServer4.

http://docs.identityserver.io/en/latest/

Answer 2

User619969680 posted

Thank you, I will investigate this approach further.

Answer 3

User1724605321 posted

Hi Iustuyck ,

The normal way is to make the web app and web api are both protected by one identity server , for example , Azure AD, or you can use Identity server 4 . Then you can use OAuth 2.0 authorization flows to acquire access token for accessing the protected web apis :

https://oauth.net/2/ 

http://docs.identityserver.io/en/latest/quickstarts/5_hybrid_and_api_access.html 

Best Regards,

Nan Yu