IdentityServer4: Sharing authentication between ASP.NET Core MVC server application and JavaScript client

Question

I have an ASP.NET Core MVC server application hosting a JavaScript client application. The JS application currently uses Oidc auth with implicit flow. The MVC server application provides file download functionality and needs to authenticate the user too.

Is there a way or an example how to configure both applications to support scenario, when user logs in the JS client and clicks download link referencing to MVC server backend and the server should accept the already authenticated user?

Also if the user is not authenticated yet and navigates in the browser to the download URL, the MVC backend should redirect him to identity server login page before proceeding with the download.

I have tried several configurations, but both clients behave independently and after first login the MVC server doesn't reflect JS client user switch inside one browser session.

Answer 1

In your MVC application, configure it to use the IdentityServer middleware (such as app.UseIdentityServerAuthentication in Startup.Configure) with the appropriate settings for AllowedScopes, Authority etc.

Then decorate your controller actions with the Authorize attribute, and make sure that all calls from your frontend to your backend correctly set the Authorization header to the bearer token (which is the access token your front-ened obtained by successfully logging in).