If i host my Identityserver4 and the Api in the same Asp.net Application. What will be used for authentication for the API Controllers? The Cookie from Identityserver or the token which i get from the oidc-client in my SPA application?
I my tests i can access the API, also if i didn't send the token within the angular http reqeuest as long as i have the Cookie...
But is this a correct and save way??? The MVC Controllers for Identityserver are protected with ValidateAntiforgeryKey, but not the API Controllers.
Does it make sense to host both in the same Application???
Edit: In Details, the API is used for managing the IdentityServer. CRUD Operations for Clients, Users, Resources,...
For example: The IdentityServer is reachable at http://localhost:5000 I want build an Angular2 SPA Admin UI which is available at http://localhost:5000/admin
The reason for mentioning ValidateAntiforgeryKey is, because if i only use Cookie Authentication for the CRUD API i should also protect these API'S with ValidateAntiforgerKey, or?