single sign on with web api and asp.net mvc 5

Question

I'm looking to use SSO with web api 2.2 for use in multiple applications, including mobile and asp.net mvc 5.

I got the basic idea of creating authentication token via web api, but i have few questions:

1- Is it safe to store the authentication token in a cookie along with user name?

2- Can I tie that authentication with identity framework in mvc and be able to use roles?

3- How can I validate roles? do I have to send a request to the api for each controller marked as authorized with a certain role to make sure it's the right role for the user?

4- If I log in from web app and get authentication token, and then try to log in from mobile, will it send the same token?

Answer 1

Ok so I'll answer this question with what I've done.

The basic architecture will be divided into three main parts:

1- Identity server 4 (using asp.net core).

2- Web api (using asp.net core).

3- Client side (using angular 2), however you can also use any client side framework or asp.net core.

Identity server will generate tokens, which will be sent with each request to the web api, and it does support asp.net identity and roles. This way you can easily extend it for mobile and send the token with each request.

link to identity server 4 docs: http://docs.identityserver.io/en/release/quickstarts/6_aspnet_identity.html

link to github where you can find more examples: https://github.com/IdentityServer/IdentityServer4

android working with identity server 4: https://github.com/leo9223/Android-Resource-Owner-Flow-client-for-IdentityServer4

Note: for asp.net mvc 5, you can use cookie authentication (which will not work for mobile) but will provide SSO for separate applications.