I have a website which combines ASP.NET Core MVC and angular based SPA which I am trying to secure using IdentityServer4. The login flow currently looks like:
- User clicks the login button on the homepage (www.example.com, MVC based)
- User is redirected to a login page (login.example.com, MVC based) and logs in
User is redirected to www.example.com/app where site detects it doesn't have a cookie for the user so it redirects the user to the login.example.com/connect/authorize endpoint- User is redirected back to the site with the id_token to www.example.com/signin-oidc which drops the cookie
- User is then finally redirected to the www.example.com/app which should show the SPA
The problem is then when this is finally done, the SPA needs the access token so it can call the APIs. I tried using angular-auth-oidc-client library, the trouble is that this waits for the whole angular app to load app only to find out it doesn't have the access token and do yet another redirect to the login.example.com/connect/authorize endpoint to get the token.
Is there a simpler way do this? I.e. redirect the user to the app with the access token at step 5? Or choose a completely different approach to the identity?
