Securely integrate angular and .net core web api into existing MVC 5 app

Question

I have an existing CRM built in ASP.NET MVC 5 using a razorhtml front end. I would like to break off part of the project into an Angular front end with .Net Core web api backend.

Essentially when a customer hits a "next" button on a certain page, the web api would be called and return a page in angular. The customer then completes a couple pages in the angular front end, sends info to the DB via the web api, which then returns the user to the old MVC project.

The issue I'm worried about is security. How can I authenticate the customer between the two applications?

Answer 1

Assuming your WebAPI is hosted on the same domain as your existing MVC solution you could opt for good old cookies (mind the HttpOnly and Path properties though). Given difference in technologies this might require some sort of reverse proxying to be put in place.

Alternatively you can generate a token on MVC application side and make your angular app pass it along through request headers to your API. On server side you would either write a custom middleware to handle opaque tokens or leverage existing .Net Core Identity that supports JWT out of the box.

Given you didn't share any specifics of your environment - it's hard to say if JWT would be an overkill for your use case but hopefully this gives you some context for further exploration.