I can find an example for securing ASP.Net MVC endpoints (cookie) and SPA API endpoints (Auth header) but I can’t seem to find an example of securing BOTH.
I have an ASP.Net MVC app that has a few pages (routes/endpoints) that need to be secure. Code within those pages make APIs calls, and those API endpoints ALSO need to be secure. Everything is from the same server. I am adding the Okta MVC to the middleware pipeline with “app.UseOktaMvc.”
From what I have seen, it doesn’t appear that the API endpoints respect the Auth cookie that’s being submitted (and I know using a cookie to secure APIs is bad practice).
So, how can I secure my ASP.Net MVC code and my API endpoints with cookies or tokens minted from the one Okta login?
If I understand this correctly, the missing piece you have is your resource server that you’d like to secure with tokens, is that right? Is your MVC application also using OpenID Connect under the hood?
You may want to take a look at our ASP.NET resource server sample, which will take access tokens retrieve via, say, your SPA, and allow users with valid tokens to be able to access protected resources.
So, I was hoping to use the (more secure) Authorization Code flow (since I own the entire pipeline). I was able to implement that using your online example. However, that returns the token as a cookie – which is great, for securing my MVC pages. However, those secure MVC pages interact with my APIs, which would prefer to be secured with Bearer Tokens (JWT format?) instead of Cookies.
I don’t want the user to have to sign in again (for the API piece), and I don’t want to change to an implicit flow for SPAs (since I have the benefit of owning the entire pipeline, I prefer to use the more secure Auth Code flow) –
Maybe I should refactor my app to be pure API and ignore the MVC portion - but then I’d want to know how I can use Authorization Code flow with API. Again, since I own the whole pipeline, I’d prefer to maximize control and security.