I have a single page app - more or less based on the MVC5 SPA template - using bearer tokens for authentication.
The site also has a couple of conventional MVC pages which need to be secured, but using cookie authentication.
In Startup.Auth I can enable both types of authorisation:
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOAuthBearerTokens(OAuthOptions);
However, this seems to have a side-effect in that whenever an AJAX request is sent from the SPA, it sends both the bearer token in the header and the cookie.
Whereas the behaviour I really want is that only the bearer token is used for WebAPI calls, and only the cookie for MVC calls.
I'd also like the MVC calls to redirect to a login page when not authorised (set as a CookieAuthenticationOption), but obviously I don't want this to happen when making an API call.
Is there some way to have this type of mixed-mode authentication within one application? Perhaps through a path/route filter?
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…