I can find an example for securing ASP.Net MVC endpoints (cookie) and SPA API endpoints (Auth header) but I can’t seem to find an example of securing BOTH.
I have an ASP.Net MVC app that has a few pages (routes/endpoints) that need to be secure. Code within those pages make APIs calls, and those API endpoints ALSO need to be secure. Everything is from the same server. I am adding the Okta MVC to the middleware pipeline with “app.UseOktaMvc.”
From what I have seen, it doesn’t appear that the API endpoints respect the Auth cookie that’s being submitted (and I know using a cookie to secure APIs is bad practice).
So, how can I secure my ASP.Net MVC code and my API endpoints with cookies or tokens minted from the one Okta login?