We have two applications, hosted separately, one is an angular/nodejs base SPA application http://spaapplication and it successfully can authenticate using OIDC (with JWT) using implicit flow via OKTA. We have another application that uses “MembershipProvider” implementation using .NET 4.5, http://legacyaspnetapp/ . We want to be able to SSO into the http://legacyaspnetapp/ second application using the first application http://spaapplication “token”/auth session in the same browser session. The requirement is the first application is not allowed to POST or GET into the .NET application server, so how would we go about picking up the session/auth and validating in the second application to authenticate and login?
Your help here would be grateful.