I'm writing an Html/Angular app and am authenticating with IdentityServer3 using the implicit flow. I have that setup and working, but what I'm concerned about is allowing users to register.

I know I can inject a register link into the login flow, but that's not what I'm interested in. I would like users to register, then send them a confirmation email, etc.

Here is my current setup:

1) xyz.com (angular frontend)

2) api.xyz.com (webapi backend)

3) accounts.xyz.com (identityserver)

I know I can do user registration by calling an api endpoint, but I'm worried that it might not be secure. At that point in the flow, I won't have a token nor can I get an XSRF token because I'm not using ASP.NET MVC. I can setup CORS on my registration endpoint to only accept requests from xyz.com, but I think that can be worked around pretty easily.

So my question boils down to this:

Should I replace my angular app with MVC on the frontend and use anti-forgery tokens for any public forms (i.e. before the user is logged in)?

Is there another approach/example where I can perform this on IdentityServer and have a clean UI flow?

Is this something that should be done outside of IdentityServer and leave for IdentityServer logging in only?

One way to solve this problem would be to have a API solely responsible for registering user accounts. It is very important to validate that the client invoking the API has the necessary permissions to register users into the system. Of course, front-end applications will still require a UI for registration, but the actual implementation would be in the registration API. Therefore, front-end applications would not have to deal with the overhead of sending account verification emails, username/email uniqueness, etc.

This API would be internal, so it would still be required to have a server-side app on the front-end that would be responsible for calling this API. Keep in mind that the credentials must only be on the server-side, and not in any front-end code.