I'm attempting to implement a web app using a microservice architecture by breaking up major components into separate web servers. I'm implementing an authentication server using ASP.NET Identity (email/username logins only, no Facebook, etc) and a "main" application server.

My current challenge is figuring out how the application server will recognize if a user has logged via the authentication server. Since the authentication server generates tokens which it users to verify users's identities, I imagine that they are stored somewhere and can be queried by the application server, but I'm not sure how to go about doing this. Ideally, my application servers WebAPI endpoints will be able to use the [Authorize] annotation.

Q: How can one server control access via a separate authentication server using ASP.NET Identity?


I've done something similar by doing the following (using cookie authentication):

1 - set the cookie domain to be the TLD across all websites

My Startup.Auth.cs looks like this:

app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),
            Provider = new CookieAuthenticationProvider
            {
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(30),
                    regenerateIdentity: (manager, user) => {
                        var identity = manager.CreateIdentity(user, DefaultAuthenticationTypes.ApplicationCookie);

                        //some additional claims and stuff specific to my needs
                        return Task.FromResult(identity);
                    })
            },
            CookieDomain = ".example.com"
        });

2 - update the web.config of all websites to use the same <machineKey />

Mine looks like this:

<machineKey 
    decryption="Auto" 
    decryptionKey="my_key" 
    validation="HMACSHA512"
    validationKey="my_other_key" />

Now I can perform login operations on, say, account.example.com, and redirect the user to site1.example.com and they will be seen as authenticated.