Vulnerability in EPiServer.Forms
After updating to a new version of Service API I found that some API calls "lost the user" because cookie authentication was no longer working for these API calls. After adding app.UseServiceApiIdentityTokenAuthorization<ApplicationUserManager<SiteUser>, SiteUser>() to Startup I can obtain Service API tokens and authenticate my API calls. However, Service API provides very little configuration - I (as far as I know) can only set the lifetime of the token, and that is all.
My problem is that I want to use Cookie Authentication for MVC part of the site and Token Authentication for API calls, but I cannot manage lifetime of the token as I could with cookie authentication and I cannot revoke the token if I need to do so. Also, Service API does not provide a mean to refresh a token if such an action is needed. In addition, I wish to have only single point of login (LoginPage) to authenticate user with cookie and make a call to Service API to obtain a token while using user's login and password.
Also, I found out that I can actually authenticate against the site itself with token and that is not what I desire.
Is there any way to achieve separation of authentication and token lifetime management with tools "built-in" Service API or I will have to write my own Authentication?