I have a Core Web API protected by JWTs, and this service is consumed, via
HttpClient, by a WPF application. This all works nicely because once I have a token I pass it in a header with each request.
Now I need to build an MVC Core web application that uses some of the functionality of the API. To avoid CORS issues, I would like to import the API controllers into the web application. However, I don't want to mix cookie and JWT auth.
Normally in the WPF application, for login, I make a request to my API's
Token controller, get the token and use it to authorize subsequent requests. Now I can build a login page in the main MVC application that calls into my
Token controller with
HttpClient and gets a JWT, but then how do I use that token to authorize all other actions in the main MVC app. It also seems very clumsy to have to use
HttpClient to pass the JWT header for internal calls.
Is there a way I can secure my MVC application from the start with JWTs without having to use
HttpClient. That is, once I have my token, and all actions are secured by tokens, how do I store and pass that token for all other requests to the main MVC app?