Identityserver4 and Api Resource in same Asp.net Application

Question

If i host my Identityserver4 and the Api in the same Asp.net Application. What will be used for authentication for the API Controllers? The Cookie from Identityserver or the token which i get from the oidc-client in my SPA application?

I my tests i can access the API, also if i didn't send the token within the angular http reqeuest as long as i have the Cookie...

But is this a correct and save way??? The MVC Controllers for Identityserver are protected with ValidateAntiforgeryKey, but not the API Controllers.

Does it make sense to host both in the same Application???

Edit: In Details, the API is used for managing the IdentityServer. CRUD Operations for Clients, Users, Resources,...

For example: The IdentityServer is reachable at http://localhost:5000 I want build an Angular2 SPA Admin UI which is available at http://localhost:5000/admin

The reason for mentioning ValidateAntiforgeryKey is, because if i only use Cookie Authentication for the CRUD API i should also protect these API'S with ValidateAntiforgerKey, or?

Answer 1

It sounds like your API and Identity Server are two separate concerns and should be handled as two separate apps. This makes it a lot easier to maintain.

You need to set up an ApiResource and a Client where you add the ApiResource as an AllowedScope in your Identity Server configuration.

Then in your API app, you must add add the authentication middleware UseIdentityServerAuthentication.

The details are explained here: http://docs.identityserver.io/en/latest/topics/apis.html

I can see you are mentioning ValidateAntiforgeryKey. This attribute is not used for protecting against unauthorized users, but to make sure form data is being posted from legitimate forms.