I'm not really interested in API authentication - all I want to do is authorize a user who has access to one or many applications from a kind of portal I am designing. We are hosting the all the web applications, some are just Javascript and HTML, some are MVC.

I have created a diagram below with a user called Bob. He is a valid user and is allowed to use an application called "JS" but not MVC. How can this be implemented using Identity Server. Obviously when inside the JS application it still needs to talk to the Identity Server to make sure the current user is valid or else somebody could just copy the url of the app and use the application.

NOTE - the JS application is just a plain old HTML5 and Javascript application it is nothing fancy like an .NET MVC app.

One way to achieve this is by registering individual applications (JS and MVC app) as separate clients in IdentityServer (assuming each application has different redirect URI’s) and restricting access between those clients.

In order to restrict access between clients for an authenticated user, you need to use ICustomRequestValidator interface.

More details in this discussion board and a similar post in SO thread