I have an angular SPA that communicates with my asp.net core server. When a user login to my system using his phone number and password the server returns a self-signed access token. I'm trying to enable the user to activate a 2FA SMS authentication. If 2FA is enabled, on a successful user name and password request, a code will be sent to the user using an SMS. Only after the user will enter a valid code he will receive the access token.
After searching a while for a solution I found only examples for 2 options:
- Cookie-based authorization solutions that work with SMS as 2FA.
- Token-based authorization that works with an app as 2FA.
My problem is that I'm not sure what I need to send to the client on successful user name and password validation. At first, I thought about returning a short-lived access token that will enable the user only to access the SMS code validation. I can block this access token to any other required authorization controller method using middleware and using this approach I will not need to change other controllers' code (most of the controllers are using the default Authorize attribute which only checks the user has valid access token). The thing is that I don't want to invent the wheel, and it feels that if there are no good examples for this scenario it's probably because it isn't a good idea.
Any help will be deeply appreciated. Kind regards, Tal
