Take MVC and SPA project templates as Controller vs ApiController
implementation sample.
As well as CookieAuthentication and oAuthAuthentication.
- MVC uses Controller at the first request as well as all subsequent requests (having request defined Action Methods).
- SPA uses Controller at the first request to SPA and all other interactions are handled by ApiController.
- MVC uses cookie authentication.
- SPA uses oAuth authentication.
Now in real apps, we need to take mix of both. Stating this, you can use the IdentityModel.cs (ApplicationDBContext) and it's customized copy of MVC project in your SPA too.
In oAuth implementation, the token is issued in GrantResourceOwnerCredentials
method of ApplicationOAuthProvider
. The user verification uses the same database of Identity framework by default. Moreover, oAuth provide authentication check in ApiController. In the sample implementation, oAuth's ResourceOwner flow is provided where user's username and password are verified.
In my opinion, templates are starting point examples.