Shared authentication based on Identity Server 4 between MVC and SPA applications

0
votes

I have two solutions under the same domain. The first one is MVC application with authentication based on IS4 OpenID Connect provider, I'm using code flow. The second one is Angular SPA application with backend on ASP .NET Core ( server just serves static files), authentication here also should be covered by IS4. My question is how can I share authentication state of MVC app with SPA app and vice-versa. Also I can add that it's not necessary to have two separated clients. Authentication can be shared under one client for both applications. Thanks.

Example: mysite.com/page1 - MVC-client, mysite.com/page2 - SPA-client

1
c#asp.net-mvcsingle-page-applicationidentityserver4openid-connect

1 Answers

0
votes

Authentication state will be separate since they use two incompatible technologies:

  • Client side SPA uses tokens to call APIs
  • Server side web app uses auth cookies to call a back end

What is common though is the SSO session cookie with Identity server, so after signing on to App 1 you can Single Sign On to App 2 - without a second login for the end user.

This is how separate OAuth apps are meant to behave - the separate redirects mean they can get access tokens with different levels of access to APIs.

This is the simplest solution and any other option could require a lot of re-engineering and has the potential to become a little hacky.