We have two webapi applications (core and support) configured on the same IIS web server running on our local domain. Our users authenticate on the core application using active directory and the core system returns a bearer token. This token is then used to authorize all API calls from our ReactJS client. In addition to the core application, we also have the support web application. Any calls to this system API end points also needs to be authorized.
Is it possible to use the same bearer token issued by the core application for the support application?
We have configured a separate webserver, database server and client to test the process. After building and deploying the two api web applications and the ReactJS client we are able to login via active directory, receive a bearer token and with this token authenticate on both the core and support platforms.
However, when we copy the same files and configurations to our clients server, we get a 401 authorization error on the support domain; the core domain works perfectly.
We have installed SSL certificates in both environments as well.
If we set the support application to Allow all Origins for CORS it works as there is no authorization. However, when we set the origins to the ReactJS and Core api projects we get the 401 error on the support domain.
We did not expect the token from the core application to authorize against the support application. However, this is working within our domain environment and we are not sure why. This has made it even more confusing as to why it does not work in the customers environment.
