How do I setup multiple auth schemes in ASP.NET Core 2.0?

by

Edit of December 2019: please consider this answer before anything else:
Use multiple JWT Bearer Authentication

My old answer (that does not fit using multiple JWT but only JWT + API key, as a user commented):

Another possibility is to determine at runtime which authentication policy scheme to choose, I had the case where I could have an http authentication bearer token header or a cookie.

So, thanks to https://github.com/aspnet/Security/issues/1469

JWT token if any in request header, then OpenIdConnect (Azure AD) or anything else.

public void ConfigureServices(IServiceCollection services)
    {
        // Add CORS
        services.AddCors();

        // Add authentication before adding MVC
        // Add JWT and Azure AD (that uses OpenIdConnect) and cookies.
        // Use a smart policy scheme to choose the correct authentication scheme at runtime
        services
            .AddAuthentication(sharedOptions =>
            {
                sharedOptions.DefaultScheme = "smart";
                sharedOptions.DefaultChallengeScheme = "smart";
            })
            .AddPolicyScheme("smart", "Authorization Bearer or OIDC", options =>
            {
                options.ForwardDefaultSelector = context =>
                {
                    var authHeader = context.Request.Headers["Authorization"].FirstOrDefault();
                    if (authHeader?.StartsWith("Bearer ") == true)
                    {
                        return JwtBearerDefaults.AuthenticationScheme;
                    }
                    return OpenIdConnectDefaults.AuthenticationScheme;
                };
            })
            .AddJwtBearer(o =>
            {
                o.Authority = Configuration["JWT:Authentication:Authority"];
                o.Audience = Configuration["JWT:Authentication:ClientId"];
                o.SaveToken = true;
            })
            .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
            .AddAzureAd(options => Configuration.Bind("AzureAd", options));

        services
            .AddMvc(config =>
            {
                var policy = new AuthorizationPolicyBuilder()
                                 .RequireAuthenticatedUser()
                                 .Build();
                // Authentication is required by default
                config.Filters.Add(new AuthorizeFilter(policy));
                config.RespectBrowserAcceptHeader = true;
            });
            
            ...
            
            }

Edit of 07/2019: I must add a link to the following proposal, because it’s very helpful too: you may not use parameters in AddAuthentication() as I did, because this would setup a default scheme. Everything is well explained here:
Use multiple JWT Bearer Authentication.
I really like this other approach!

More Related Contents:

  1. How do I get the contents of a JSON file I added in the StartUp method to use it in one of my actions?
  2. How to create roles in ASP.NET Core and assign them to users?
  3. TempData null in asp.net core
  4. Identity in ASP.Net Core 2.1< - Customize AccountController
  5. Tag helper not being processed in ASP.NET Core 2
  6. Dealing with large file uploads on ASP.NET Core 1.0
  7. An error occurred attempting to determine the process id of dotnet.exe which is hosting your application. One or more error occured
  8. Unable to resolve service for type ‘Microsoft.AspNetCore.Identity.UserManager` while attempting to activate ‘AuthController’
  9. ASP.NET MVC 5 group of radio buttons
  10. Passing data between different controller action methods
  11. Is Task.Run considered bad practice in an ASP .NET MVC Web Application?
  12. Passing data to Master Page in ASP.NET MVC
  13. @Html.Action in Asp.Net Core
  14. How to enable cross origin requests in ASP.NET MVC [duplicate]
  15. Do I need a Global.asax.cs file at all if I’m using an OWIN Startup.cs class and move all configuration there?
  16. Parse and modify a query string in .NET Core
  17. How do I display the DisplayAttribute.Description attribute value?
  18. ASP.Net MVC route to catch all *.aspx requests
  19. Asp.net core Identity successful login redirecting back to login page
  20. Custom Authentication in ASP.Net-Core
  21. Where are the ControllerContext and ViewEngines properties in MVC 6 Controller?
  22. How to add OpenIdConnect via IdentityServer4 to ASP.NET Core ServerSide Blazor web app?
  23. I’m getting the “missing a using directive or assembly reference” and no clue what’s going wrong
  24. MvcSiteMap generating a Menu without messing the breadcumbs
  25. Get UserID of logged-in user in Asp.Net MVC 5
  26. Can I use ASP.NET MVC together with regular ASP.NET Web forms
  27. {version} wildcard in MVC4 Bundle
  28. ‘HttpPostedFileBase’ in Asp.Net Core 2.0
  29. ASP.NET – AppDomain.CurrentDomain.GetAssemblies() – Assemblies missing after AppDomain restart
  30. Opposite of [compare(” “)] data annotation in .net?

Leave a Comment