I've created a Web API (using ASP .Net Core MVC 1.1). Now we are about to start developing two front ends - a phone app (using Ionic) and a Web App (using ASP .Net Core MVC 1.1)
I am trying to wrap my brain around the authentication of the entire system. We're looking at using Auth0 to delegate the authentication to a third party company, but I'm trying to figure out how that would work considering we have a Web API backend that also needs some form of authentication?
If we do the authentication on the front end side using Auth0, can we then have a simple authentication between the web/phone apps, and the web api? So that the web/phone apps authenticate themselves to the web api? I;m not talking about authenticating on behalf of the client - i.e. with a username and password, but rather authenticating the phone/web app themselves - if that makes sense? That would prevent anyone from being able to access the web api directly from a browser or Postman by typing the UTR to the API, for example. So, the web api would only grant access to the phone and web apps. But when it comes to user level authentication (i.e. the user logging in with his username and password) that would be handled by the phone/web apps using Auth0?
I don't know - I'm probably completely off course with my line of thinking. I'm just a bit lost... Essentially, we need users to be able to log on with their username and password on the web/phone apps, and also we need some sort of protection for the web api itself to prevent anyone from simply calling the api from their web browsers or Postman, etc.
Any pointers in the right direction would be GREATLY appreciated!
Thanks in advance....