I'm new to ASP.NET Core and OpenID connect/AzureAD, so I'm looking for some validation (or otherwise) of my approach. Extensive reading/googling over the last couple of weeks while I've been learning this hasn’t turned up an exact answer (although a lot of near misses)
I have a browser-based web app that needs to be secured with AzureAD, so as you'd expect, this uses cookie-based auth. All works fine.
I also expose an API within the same application. I don’t want to use cookie based auth due to CSRF concerns, and the need for the API to service a mobile app at a later date. I've configured the API to use JWT Bearer based auth. Also works fine (e.g. calling from Postman)
One of the pages in the web application needs to make an AJAX call to the API, and I don't want/need to turn the application into an SPA. So the approach I'm currently trying is this:
When I sign in to the application, I'm caching (server-side) the tokens I received from AzureAD. When the page with the AJAX call is visited, I'm writing out the "id_token" to a hidden field, and when I need to make the AJAX call, I'm reading the id_token in javascript and adding it as the "authorization" header.
This all works like a dream, so I've been poking and prodding it for concerns - I can’t see any CSRF issues, as the AJAX call is no longer cookie-auth'd. Although I'm writing an id_token out to the page, the user has to be auth'd (cookies) to see that page in the first place.
Is there anything I'm overlooking here?
