connect-auth | Authentication middleware for connect | Authentication library

I have a requirement to send an extra parameter from my MVC client to my Identity Server 4 UI when a user needs to authenticate. I've tried following these two articles I found which explain the concept which seems quite simple, but either method I try and use the parameter seems to get added as a parameter to the returnUrl parameter rather then the named parameter on the Login endpoint.

I am following https://www.scottbrady91.com/Angular/SPA-Authentiction-using-OpenID-Connect-Angular-CLI-and-oidc-client and https://www.scottbrady91.com/Angular/Migrating-oidc-client-js-to-use-the-OpenID-Connect-Authorization-Code-Flow-and-PKCE to implement OIDC in SPA(Angular)

I am using aspboilerplate integrated IdentityServer

I've set up everything as per the above articles and I was able to navigate to external auth provider and was also able to enter the required credentials.

While redirecting to angular I am getting 400 - Bad request. Here are the details

Call back URL :

Is it recommended or good practice to protect a Web API directly with Open ID Connect or not? The setup:

• Mobile App
• Authorization Server (ADFS 4.0)
• Web API (ASP.NET Core)

Currently I do the normal OAuth2 "Authorization Code Flow", and then pass the access_code to my Web API in the HTTP Header as "Authorization: Bearer ". In ASP.NET core I just do the usual services.AddAuthentication(...).AddJwtBearer(...) Works fine.

But everyone talks about OAuth2 beeing only "pseudo-authentication" with certain flaws. I want my Users to be a properly authenticated before using my Web API. So it seems like Open ID Connect should be the way to go, aka "real authentication".

But does it actually work to "consume" Open ID Connect authentication in an ASP.NET Core Web API? And if yes, how? And is it good practice? All samples seem to be about Web Sites, not Web APIs.

There is an extension method services.AddAuthentication(...).AddOpenIdConnect()

But here Implement OpenID connect Authetication in asp.net WEB API they state that "this component is designed for user interactive clients".

What i also don't understand, what would I do with the "id_token" I get from Open ID connect. Currently i just pass the "access_token" as Bearer. How do i consume the id_token?

Some clarifications:

• The API does not act on behalf of a user (access to company data).
• The API already has access to the "data". It does not require any auth workflows for itself nor does it need to pass the users credentials along.
• The API needs to know "WHO" the user is, and it has to be done in an modern and good way
• That's why I was thinking of OICD with its "real auth" (VS Oauth2-only which is "pseudo").

I basically cannot wrap my head around how the stuff returned from OICD (id_token) will be passed to my Web API.

I have a mongo 3.4 instance with a cfg file thus: