Secure MVC endpoints AND API endpoints

I can find an example for securing ASP.Net MVC endpoints (cookie) and SPA API endpoints (Auth header) but I can’t seem to find an example of securing BOTH.

I have an ASP.Net MVC app that has a few pages (routes/endpoints) that need to be secure. Code within those pages make APIs calls, and those API endpoints ALSO need to be secure. Everything is from the same server. I am adding the Okta MVC to the middleware pipeline with “app.UseOktaMvc.”

From what I have seen, it doesn’t appear that the API endpoints respect the Auth cookie that’s being submitted (and I know using a cookie to secure APIs is bad practice).

So, how can I secure my ASP.Net MVC code and my API endpoints with cookies or tokens minted from the one Okta login?


If I understand this correctly, the missing piece you have is your resource server that you’d like to secure with tokens, is that right? Is your MVC application also using OpenID Connect under the hood?

You may want to take a look at our ASP.NET resource server sample, which will take access tokens retrieve via, say, your SPA, and allow users with valid tokens to be able to access protected resources.