Question: What are others approach for SPA and MVC to trigger authentication?

[NelsonLamprecht]

Is it using the MapSpaFallbackRoute and hosting the SPA on that mvc cshtml page instead of the angular cli index.html?
Is it calling an authenticated mvc api and forcing a redirect in SPA?
Other solutions with the angular cli config?

What I don't want is any unauthenticated access to the application....

[k11k2]

@NelsonLamprecht depends on how you trying to implement authentication. from angular side then don't go over hosting spa on cshtml else you need to go over mvc but hosting spa on cshtml which is not much recommend. Currently I'm facing few troubles by hosting spa on cshtml in prod.

MapSpaFallbackRoute and hosting the SPA on that mvc cshtml page instead of the angular cli index.html?

In new aspnet angular 5 cli template it is not smooth as before template. you need to find way to work it.

Is it calling an authenticated mvc api and forcing a redirect in SPA?

you can dot it. but need to check all your concerns like storing and passing token to angular side.

[akiander]

I have this same issue... was there a recommended approach found here?

[ADefWebserver]

I cover my method here:
http://lightswitchhelpwebsite.com/Blog/tabid/61/EntryId/4312/An-Angular-4-DotNetCore-2-0-Example-With-Application-Shell-and-Authentication.aspx

Basically I log in a person with code like this:

    [HttpPost]
    [AllowAnonymous]
    public IActionResult Index([FromBody]DTOAuthentication Authentication)
    {
        // LoginStatus to return
        LoginStatus objLoginStatus = new LoginStatus();
        objLoginStatus.isLoggedIn = false;
        // Get values passed
        var paramUserName = Authentication.userName;
        var paramPassword = Authentication.password;
        if ((paramUserName != null) && (paramPassword != null))
        {
            // This doesn't count login failures towards account lockout
            // To enable password failures to trigger account lockout, 
            // set lockoutOnFailure: true
            var result = _signInManager.PasswordSignInAsync(paramUserName, 
                paramPassword, false, lockoutOnFailure: false).Result;
            if (result.Succeeded)
            {
                objLoginStatus.status = "Success";
                objLoginStatus.isLoggedIn = true;
                return Ok(objLoginStatus);
            }
            if (result.RequiresTwoFactor)
            {
                objLoginStatus.status = "RequiresVerification";
                return Ok(objLoginStatus);
            }
            if (result.IsLockedOut)
            {
                objLoginStatus.status = "IsLockedOut";
                return Ok(objLoginStatus);
            }
        }
        objLoginStatus.status = "Authentication Failure";
        return Ok(objLoginStatus);
    }

[brockallen]

Many people use IdentityServer as a OIDC/OAuth2 token service to protect their APIs. The SPA code can then use something like oidc-client to obtain and manage tokens.

http://identityserver.io/
https://www.npmjs.com/package/oidc-client

samples here: http://docs.identityserver.io/en/release/quickstarts/7_javascript_client.html

[SteveSandersonMS]

Hope some of the approaches described here are what you need.

I'll mark this closed since it's not an active work item, but please feel free to continue the discussion!

[akiander]

@brockallen - your suggestion of using the oidc-client is perfect, thank you. That pointed me in the right direction.

Since my application is an Angular 5 application, I was able to follow this article and am now successfully authenticating against my identity provider.