May 05, 2020 01:52 PM|mgebhard|LINK
The easiest method is using a standard authentication cookie. This approach requires the Web API and Web Application are in the same application. All of the built-in security works. Closing the browser expires the cookie If the cookie is not configure
to persisted. This design does not work well if the Web API is shared by other applications.
A standard shared API approach is using JSON Web Token (JWT) to pass user information from a client to a Web API endpoint. JWT is an encoded signed string that contains information about the user making the request. The secured resource knows how to
validate the token and extract the tokens information. In your scenario, the JWT can cache the "scoped variable" or the JWT can contain a key to get the dictionary value. The key could be the user's Id for example. The ASP.NET Core framework comes with
libraries for creating and validating JWTs.
The next approach is similar to the first but rather than accessing Web API URLs directly, the requests go to an Action or Razor Page. The Action or Razor Page calls the API. In this scenario you can still take advantage of an authentication cookie or
use Session to cache the scoped variable. The Action or Razor Page gets the cached value (Scoped Variable) and passes it to Web API.