I have two MVC 5 projects that I would like to be protected by as much built-in (e.g. Identity) authorization capabilities as possible. The first is a Web API project, serving JSON responses to an Angular app based in the second, a plain MVC project (the 'UI' project). The UI project basically just serves Angular templates, and provides some miscellaneous runtime functionality.
I want the API project to be accessible to other agents, besides just the UI project, so I would like e.g. that when an agent wants to access a resource, they are redirected to the login sub-system of the API project, which acts as an 'authentication service', but then when I have authenticated the user via the API, I want that user to be authorised to use the UI project as well.
Can I achieve this using mainly Identity and as little custom code as possible, and how would I go about this? The reason I want to write as little code as possible is not laziness, but I am aware of just how risky writing any of one's own security code is.
