Using a Web API Service as Central Authentication Point

Question

I'm very new to the identity management world, so please spare me. :)

What I would like to do, is to have multiple client (MVC) applications that talk to a single Web API application to authenticate their users against. In that Web API application, I would like to use ASP.NET Identity to talk to a database with users.

That way, I could use SSO for the client applications (I guess).

Does that make sense? Could someone help me on my way to implement this (links are also welcome of course)? I don't know if IdentityServer could help me with what I want?

And as a side question: when I could implement this the way I would like to, how do I deal with the same-origin policy?

Answer 1

Thank you for all the help. :)

I did some research myself during the last few months and I learnt a lot about the identity management stuff. Many of that also thanks to the guys from IdentityServer (and their other projects).

What I finally did was the following (very briefly):

• IdentityServer is used as a provider for all client applications. The cookie and OIDC middleware are used.
• I used the ASP.NET Identity user service to store the users in an SQL Server database. (The IdentityServer configuration is by the way also stored in a database.)
• I set up a Web API service that uses the ASP.NET Identity user manager for user configuration (change password, create new users, ...). It uses bearer authentication with the application with IdentityServer as provider.
• As a side note, IdentityManager is used as an internal admin tool to manage all the users.

If anyone is looking for some help setting up his / her identity management system (and thinks I can help): please ask. ;)