What is the best way to share credentials between 2+ ASP.Net MVC Core applications, meaning a user can log into one application and will have access to the other application(s). The apps are for external clients but would be hosted on the same server. I am looking for the simplest solution, I don't want to implement an OAuth server unless absolutely necessary. I have considered the following options:
It depends on one main thing: what are the domains the sites are being deployed to? Session-based authentication (what websites use) depends on a cookie being set on the client. Importantly, cookies are domain-bound. In other words, a cookie can only be "shared" with sites on the same domain, or subdomains on the same domain if the cookie domain is set as a wildcard.
That right there defines your whole approach. If you've got something like abc.com/site1 and abc.com/site2 or even site1.abc.com and site2.abc.com, you can share the cookie. However, if you're dealing with abc.com and xyz.com, you're borked.
If all the sites are on the same domain (or subdomains on the same domain) then all you need to ensure is that all the sites are using the same data protection setup. In previous ASP.NET sites, encryption was handled via a "machine key", so you simply had to ensure that the machine key was shared. ASP.NET Core uses Data Protection which functions differently, but the basic principle still exists. All the setup needs to be the same across all the sites so they essentially all encrypt and decrypt things in the same way. Since the auth cookie is encrypted, this is absolutely required to shared that cookie. Thankfully, Microsoft has a guide for doing this.
If the sites are on completely different domains, there is no way to share the auth cookie. Period. Full stop. Your only choice then is something like Identity Server.