We have an application built on a static front-end and an API hosted under a separate subdomain (e.g. web.theapp.com vs api.theapp.com). We've recently implemented a document management component built on top of Azure Blob Storage, with custom metadata in the API. When downloading a file, we want the user to get to the API (for authorization checks etc) but then be given/redirected to a blob storage URL with a short-lived SAS token. We have the API part "done" insofar as we can accept a request, do all the required access checks, create a SAS and generate an URL to the file, and redirect there.
HOWEVER: For authentication in the API currently uses Bearer tokens, which obviously won't work on GET requests that result from clicking on links.
Is there a good "goto" solution for this type of problem?
We've been thinking about creating a page saying "Your file downloads in 3... 2... 1..." like the old-school hosting services, but that feels a little tacky. We've also considered adding some sort of cookie scheme, so the API can accept authentication either with bearer tokens or with cookies, but we've failed to find info on how to configure cookie authentication (relevant tech stack: Azure AD OAuth2 and ASP.NET Web API 2).
Is there a good pattern for this type of problem?