Authentication between Web App, Web API and Mobile App

Question

I need suggestions for authentication between these three applications (web, API, mobile).

Use Case

• I have .Net Core Web API which works with basic authentication (i.e. username and password in header).
• I need to consume that API in my .Net Core Web App and Xamarin mobile app.
• I want to integrate security model between all three applications.

Problem Statements

• I don't have knowledge about how the same authentication can work for Web App and API.
• I don't want to use any third-party authentication provider. I would like to have my users in database only.
• What is best way to secure my API?
• Once I secure my Web API, How about authentication on Web App and Mobile App?

I know this is a broad question but simplest answer/way will help me to decide further path. I have enough knowledge about authentication like AD, OAuth, Open Connect, JWT But honestly not sure how to use it in my scenario.

Answer 1

A simple way to do it would be have your API work with JWT and connect to a database holding your users info. You'd have a route that receives username and password and returns a token. For all the authenticated routes, the request needs this token on the header. For the clients (Web App and Xamarin), you'd store the received token as a cookie and send it together on every API call.