I have a site utilizing both mvc and web api controllers and aspnet identity. I used the VS2013 SPA template with both mvc and web api controllers as a starting point.
Here is my scenario:
User logs in using mvc controller and gets back an auth cookie.
Next page is served using using mvc controller that is authenticated. That page uses knockout and does a ajax post call to a web api controller that is authenticated from a button click (Save). The web api controller requires the Authentication header with Bearer --token--.
My question is how do others handle this "two" authentication approaches. I created an endpoint on the mvc controller that is authenticated and returns a bearer token based on the current principal. I can use that token to post to the web api endpoint successfully.
The javascript logic I'm creating is a bit...confusing. It checks to see if a access token is in session storage, if so make the ajax call. If not, call the get token endpoint and then call the web api endpoint (using a bunch of callbacks for handling Ajax promise done, fail, ect).
How have others handled the scenario where you need both the auth cookie and bearer token so each "mvc" page is authenticated, and the web api endpoint that page calls is authenticated. What do you do if the bearer token expires before the cookie expires.
Let me know if I'm not clear or if you need more information.
Edit
I came across this, Using bearer tokens and cookie authentication together It still doesn't answer my question as I have it already setup so mvc accepts cookie auth and web api only accepts bearer token. I feel like this should be a problem that is already solved, but maybe I'm taking the wrong approach.