I’m sorry if this question has been asked before, but I can’t seem to find it from Googling or searching the forums. Anything I can find that’s similar seems to be for ASP.NET Core 3.x.x anyway, and I’m using ASP.NET 6, so I figured now might be a good time to re-ask the question anyway in case things have changed.
I am currently developing a new application at my company that involves two different projects interacting together - both requiring you to be signed into Okta to access. One project is a simple MVC Web Application. The other application is a purely API project with no views - it only returns data. My company is following a three-tier architecture, so combining these two into one project is not a possibility.
User accesses https://WebApp/. They are currently not signed into Okta.
They navigate to https://WebApp/ProtectedPage, which contains a client-side / JavaScript AJAX call to https://API/ProtectedRoute. Both ProtectedPage and ProtectedRoute require you to be signed into Okta to access.
Because the user is not signed in, they are denied access to ProtectedPage before the AJAX call is ever made because it is a view that has Authorization protection on it. Instead of returning a view, Okta does its magic to redirect the user to sign in.
User is automatically redirected to sign into Okta.
User successfully signs into Okta and now has the authentication required to view ProtectedPage and ProtectedRoute.
User again attempts to load https://WebApp/ProtectedPage, which they can now access since they signed in, and passes their credentials on to make an AJAX request to https://API/ProtectedRoute.
https://API/ProtectedRoute validates the credentials and returns sensitive information.
Following this tutorial, I have setup users signing into Okta from my WebApp. Following this guide, I have my API routes protected. However, what I don’t know how to do is pass the WebApp’s signed in user’s credentials to the API. Can someone please explain how to do this, or point me to an Okta tutorial showing me how to do it?
Just wanted to add a short version of what I want in case what I asked wasn’t clear enough:
User opens my web app. They login through Okta hosted login. They get redirected back to my web app and are now authenticated on the web app. How do I pass said credentials from my web app to a separate server, my API server?
If needed, I’m also okay with changing my authentication flow, just so long as a user only has to sign in once to access the Web Application and also the API. This project is still in its infancy, so nothing is set in stone, except that API and Web App need to be separate and I need to use ASP.NET
Well it’s been almost a week with no reply, so I’ve thought a different way to restructure my project just in case anyone else finds this thread and runs into the same issue I have.
Previously, what I wanted to do was have users be able to login into Okta once and using that same login have access to both the API and Web App, basically using the same Okta Application. Because I’m a developer, I was thinking like a developer and assuming that any user might want to have access to the API. What I was not doing was thinking practically - if another user wants access to the API, they won’t be logging into Okta every time and then using that stored session within something like Postman or curl - they’ll be doing it with an access token.
The solution to my problem was to change how I integrate Okta into my solution. Here’s how the new authentication flow will look:
User navigates to Web App. They are currently not authenticated. They click the “Sign in” button on the web page.
User is redirected to Okta to login. T
User successfully logs in and is redirected back to the web application and is now authenticated.
User loads a page that makes a call to the separately hosted API server.
Using the access token provided internally from the web application server (not accessible to end user - is set in a secure configuration file / setting somewhere), the API verifies the access token against a separate Okta Application using API authentication.
The Web App has been authenticated and a success status code has been sent back to the API server from the Okta API Application.
Now authorized, the Web Application is sent the requested data from the API server.
Basically, I use two separate Okta Applications. I was very close with my original setup, but I was asking for too much from Okta. But, with this new setup, other applications in my company can now integrate with just the API server for this project I am working on and not have access to the web application. Just to re-iterate what I used:
Both projects (Web Application and API) use two SEPARATE Okta applications. This is so users who have access to the Web Application don’t necessarily have to have access to the API server, and vice versa. If your company is following a 3-tier architecture, this approach may fit your needs.
Note: Even though the tutorials are written for .NET Core 3, they work perfectly fine in .NET 6. The main difference being you can combine your Program.cs file and Startup.cs file into one file using Top Level Statements.
