Authenticate MVC clients with Web API Tokens

Question

Currently I have created a WebAPI Project using identity framework and I have setup tokens to be returned when authenticating with the API.

So now I am looking at creating a standalone MVC application that will allow the user to make calls to the WebAPI to get back end data.

The goal is to separate functionality so that other applications can also start interacting with back end data through web calls.

So the confusion now is how do I setup my MVC project so that I can use the Authorize attributes on controllers with the token received from the WebAPI. I think I need to enable bearer tokens in the ConfigureAuth method in Startup.Auth.cs. However will that be sufficient enough? Or do I also need to enable the cookie authentication?

Answer 1

MVC and Web Api are fundamentally different when it comes to authentication. With Web Api, the bearer token has to be set in the header of the request, but this is not an issue as all API requests are done programmatically by the client, i.e. there's human-intervention involved in setting up the client to authenticate the request properly.

MVC is a different beast in that the actions are accessed generally via a web browser, which will not automatically affix a bearer token to the request header. What it will do is pass cookies set by the server back to the server. That's why cookie auth is used most typically for MVC web applications.

What you should do is enable cookie auth for the MVC site and then set up your sign in action to authenticate via the Web Api. When you get back a valid auth from the Web Api, then you can manually sign in the user via the Identity API:

await SignInManager.SignInAsync(user);