Carries and CSRF

If I understand that you are correct, MVC and SPA authenticate the user with the Identity Server and store the tokens in cookies intended to access the API.

In general, there are two cases here:

• Your cookies are HTTP only (not available in the frontend). Then you send the MVC and SPA server side cookies, which retrieve the cookies and send the request further to the API. In this case, you are just as vulnerable to CSRF as usual because you efficiently authenticate with cookies and the subsequent token retrieval and API bearer authentication is based solely on the automatic cookie validation result.

• Cookies are available in the interface. In this case, you can read them using Javascript and send a server side MVC and SPA authentication request to the server side (to go to the API) or directly to the API so that all servers ignore the cookie content as potentially compromised. In this case, you are not vulnerable to CSRF (since you specified that the bearer authentication header must be explicitly constructed). However, you are vulnerable to XSS ( cross-site scripting): any code injected into your page using either a data validation / sanitization security hole, or just a third party dependency can read the cookies and re-send them to any server. This case is very similar to local / session storage, so any articles describing their vulnerabilities also apply to your scenario (for example, here ).

So, you have to choose between CSRF or XSS as the main attack.

CSRF can be completely prevented with anti-forgery tokens, but if you don't, it is very easy to launch an attack.

XSS is theoretically difficult to completely prevent in modern development due to the many third party libraries you use (another XSS attack vector - ingress sanitation is not such an issue generally since most of the MVC framework does it for you by default as ASP NET Core ). However, you have a chance to avoid this, making this a smart choice in many cases, for example. Auth0 recommends it .