Last post Jan 28, 2019 02:09 AM by Nan Yu
Jan 25, 2019 03:14 PM|lustuyck|LINK
I have an ASP.NET Core 2.2 MVC site, that uses Facebook as an identity provider. Users can click the login button, they are redirected to Facebook to enter their credentials, and are then redirected back to the site. At that time they are authenticated,
and I have a number of claims like name idenfifier, email etc. This works fine.
But now I also want a separate web API, which will be consumed by the MVC site.
But this web API should of course also be protected, as I want to handle (custom) authorization in the web API; and for that I need to know the identity of the caller.
So my question is: how is this kind of security normally implemented? I guess I have to use a bearer token, which is sent with each call to the web API, but how do i generate this token? What is the architecture that is normally used for this kind of scenario?
Thanks for any hints!
Jan 25, 2019 03:31 PM|mgebhard|LINK
What is the architecture that is normally used for this kind of scenario?
A centralized authentication provider like IdentityServer4.
Jan 25, 2019 03:49 PM|lustuyck|LINK
Thank you, I will investigate this approach further.
Jan 28, 2019 02:09 AM|Nan Yu|LINK
Hi Iustuyck ,
The normal way is to make the web app and web api are both protected by one identity server , for example , Azure AD, or you can use Identity server 4 . Then you can use OAuth 2.0 authorization flows to acquire access token for accessing the protected web