I'm developing a .NET Core Identity API using the following setup:
builder.Services.AddIdentityApiEndpoints<AppUser>()
.AddRoles<AppRole>()
.AddEntityFrameworkStores<AppDbContext>();
This gives me the prebuilt endpoints for login, register, etc., which work fine through the API.
Now, I want to create a separate ASP.NET Core web application (not an API), and use these existing endpoints for login/register—just like traditional Identity is used in Razor Pages or MVC projects. I also want to use attributes like [Authorize], [Authorize(Roles = "...")], etc., just like in a typical Identity setup.
The problem is: I don't want to manually write authentication/authorization middleware. I'd like to reuse the API directly for auth, including role-based authorization.
I've seen that when I use ?useCookies=true&useSessionCookies=true during login in the API, I don't need to send the bearer token on each request to access authorized endpoints—the session/cookie is used instead.
My questions are:
Can I use these Identity API endpoints directly in my ASP.NET Core web project and still have full authentication and role-based authorization features (without writing custom middleware)?
If I enable
useCookies=true&useSessionCookies=trueduring login, can I reuse that session/cookie in the web project so that I don’t have to manually handle tokens or headers?
I'm looking for a clean, built-in way to make this work, ideally without reinventing the wheel. Any guidance or sample implementation would be appreciated!
