0

I have an ASP.NET Core 2.2 MVC site, that uses Facebook as an identity provider. Users can click the login button, they are redirected to Facebook to enter their credentials, and are then redirected back to the site. At that time they are authenticated, and I have a number of claims like name idenfifier, email etc. This works fine.

But now I also want a separate web API, which will be consumed by the MVC site.

But this web API should of course also be protected, as I want to handle authorization in the web API; and for that I need to know the identity of the caller.

So my question is: how is this kind of security normally implemented? I guess I have to use a bearer token, which is sent with each call to the web API, but how do i generate this token? What is the architecture that is normally used for this kind of scenario?

Thanks for any hints!

asked Jan 25, 2019 at 15:17
2
  • Is there any reason you couldn't use the same authentication mechanism and token for the MVC site and API? Commented Jan 25, 2019 at 23:15
  • Meanwhile I figured out I need an identity provider like IdentityServer4 which does everything I need out of the box. Commented Jan 26, 2019 at 13:40

0

Know someone who can answer? Share a link to this question via email, Twitter, or Facebook.

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.