0

I have an ASP.NET Core 2.2 MVC site, that uses Facebook as an identity provider. Users can click the login button, they are redirected to Facebook to enter their credentials, and are then redirected back to the site. At that time they are authenticated, and I have a number of claims like name idenfifier, email etc. This works fine.

But now I also want a separate web API, which will be consumed by the MVC site. 

But this web API should of course also be protected, as I want to handle authorization in the web API; and for that I need to know the identity of the caller.

So my question is: how is this kind of security normally implemented? I guess I have to use a bearer token, which is sent with each call to the web API, but how do i generate this token? What is the architecture that is normally used for this kind of scenario?

Thanks for any hints!

Improve this question
2
  • Is there any reason you couldn't use the same authentication mechanism and token for the MVC site and API?
    – Ben Cottrell
    CommentedJan 25, 2019 at 23:15
  • Meanwhile I figured out I need an identity provider like IdentityServer4 which does everything I need out of the box.
    – L-Four
    CommentedJan 26, 2019 at 13:40

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.