Authenticate just once in MVC and Web Api applications using asp.net identity

Question

I have this solution:

I need to authenticate on the ASP.NET MVC site and on the Web Api 2.0 just once (I mean that I do not have to check if username and password is correct on MVC site and then check them on Web Api again).

I honestly think that AngularJS and ASP.NET MVC is not a good couple. But, that's it! ASP.NET MVC site and Web Api could be on different servers.

In this moment I can authenticate just on MVC Application, I cannot "pass" the authentication on the web api. I am using the default code of the ASP.NET Identity. So, im my startup class I have:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Account/Login"),
    Provider = new CookieAuthenticationProvider
    {
        // Enables the application to validate the security stamp when the user logs in.
        // This is a security feature which is used when you change a password or add an external login to your account.  
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromMinutes(30),
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
    }
});            

app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

So, how can I be "automatically" authenticated on web api, once I have been authenticated on asp.net mvc?

Thank you

UPDATE

I have updated the image. In this moment I do some requests from MVC application. But those requests do not need authentication. Some other requests arrive from angularjs and here I need authentication. In this moment I authenticate the user in the MVC application.

Answer 1

If i have this right then there's a pretty simple solution to your problem.

The user is authenticated in the MVC app, which means any calls to the MVC controllers and Action methods are protected and have been successfully authenticated against.

Within your MVC app, you are making requests to your WEB API.

The Web API needs to protect its resources somehow from incoming requests, and considering that only your MVC app should be responsible for making these requests, you should implement a client secret OAuth flow within your WEB API.

Think of it as registering your MVC app as a consumer of your WEB API.

Each call from your MVC App to the web api, supplies its clientid and secret that your web api verifies before serving up its resources.

From your web api's point of view it doesnt care who the user is, it only cares about the applications that are trying to access its resources.

If an application cannot provide a secret, then they dont get access.

* EDIT *

In a scenario where your web-api is not public facing and requires only authenticated access to its resources, your client browser should no be talking directly to the api.

You could use token based authentication where once authenticated by a token endpoint the client browser passes a bearer token in the header of each request made to you api.

However, that would mean your passing an access token to the browser and i don't think that's great for security.

That is why i would recommenced that client browser only ever makes calls to the MVC app as its living on a server where its calls cant be manipulated and any access token cant be intercepted.