SERVER SIDE ARCHITECTURE
The OWIN stack will tie you to cookie based security and works like this. It may be that this is a perfect fit for your requirements:
- Web UI makes an Ajax call to a web back end and implicitly sends an auth cookie
- Web UI is limited to calling a web back end in the same domain
- Web back end gets access token from cookie
- Web back end forwards the access token to an API in a different domain
- API validates access token
A common approach is demonstrated in this thread, where tokens are included in the auth cookie, and the web back end unpacks cookies from tokens.
var id = new ClaimsIdentity(n.AuthenticationTicket.Identity.AuthenticationType);
id.AddClaim(new Claim("access_token", tokenResponse.AccessToken));
id.AddClaim(new Claim("refresh_token", tokenResponse.RefreshToken));
id.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));
REQUIREMENTS?
I would always recommend starting with goals / requirements rather than technology from vendors such as Microsoft, which is often a little old or suboptimal.
CLIENT SIDE ARCHITECTURE
If you want to do more on the client side, then an alternative approach is to use an SPA architecture and do more in Javascript:
- Use a library such as oidc-client
- Send access tokens directly to cross domain APIs
- Consider storing tokens only in browser memory rather than in local storage
If interested in this approach in terms of your future planning, then these 2 posts of mine are a good starting point:
Anyway, if any of this is useful, feel free to post follow up questions.
