Share Authentication tokens between ASP.NET Core MVC and Angular4 app

Question

We currently have an ASP.NET Core MVC app in combination with IdentityServer4 for authentication. The user authenticates via IdentityServer (with the HybridAndClientCredentials flow) to ADFS before it has access to the MVC application. The SignInScheme on the MVC client is set to the values "Cookies".

We would like to extend our MVC app to host multiple Angular apps. Sometimes even more than 1 Angular app per MVC view. The angular apps will call seperate ASP.NET Core Web API's on behalf of the user.

My question is how does the angular apps know that the user is already authenticated in the MVC application, retrieve the access token and call the API's on the user behalf?

I have been playing around with solution Scott Brady came up with but there seems no integration between the MVC app & Angular app. The Angular app will try to authenticate to identityserver and expect a callback on a particular page.

I am looking for a solution how to share the accesstokens between the MVC app and the angular apps but I am stuck. Any help is much appreciated.

Answer 1

If they have to sign in via the server-side hybrid flow already then the simplest way would be an endpoint in your MVC app that is cookie-secured that the client side app can call to get the access token.

Another approach is to use oidc-client-js and have the client side Angular app obtain its own token.

You could abstract this away from the client side app itself so it's easy to change the mechanism later if you need to. As it happens we use a combination of server side and client side flows and it works fine.