aspnetcore 2.0 JWT and Open ID Connect Authentication in same site

Question

We have a aspnetcore 2.0 website. The majority of the site is WebAPI, with 2 UI components: swagger and hangfire dashboard.

We are trying to secure the Web API endpoints using JWT and the UI (hangfire dashboard) components with Open ID.

here is our setup

services
.AddSingleton<IConfigureOptions<JwtBearerOptions>, ConfigureJwtBearerOptions>()
.AddSingleton<IConfigureOptions<OpenIdConnectOptions>, ConfigureOpenIdOptions>()
.AddAuthentication(options =>
 {
    var openId = OpenIdConnectDefaults.AuthenticationScheme;
    var jwt = JwtBearerDefaults.AuthenticationScheme;

    options.DefaultScheme = jwt;
    //options.DefaultAuthenticateScheme = openId;
 })
 .AddJwtBearer()
 .AddCookie()
 .AddOpenIdConnect(options =>
 {
     var cookies = CookieAuthenticationDefaults.AuthenticationScheme;

     options.SignInScheme = cookies;
     options.SignOutScheme = cookies;
 });

services
.AddAuthorization(options => options.AddPolicy(...))
.AddMvcCore(config =>
{
    var policy = new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
        .Build();

    config.Filters.Add(new AuthorizeFilter(policy));
});
....

app.Map(new PathString("/hangfire"), _ => _.UseMiddleware<HangfireDashboardMiddleware>(...));

To secure the hangfire dashboard we had to create a delegation handler to authenticate and challenge using OpenIdConnectDefaults.AuthenticationScheme.

The problem is we can only get JWT or OpenID to successfully authorize and get all the relevant claims. When //options.DefaultAuthenticateScheme = openId; is commented out JWT works, but OpenId gets stuck in a perpetual loop between localhost and AAD. When options.DefaultAuthenticateScheme = openId; is set Open ID authentication works properly, but JWT fails to get claims. It does appear to authenticate.

How can we setup Authentication scheme per route?

score 0 · Answer 1 · answered Jan 31 '18 at 16:48

0

We finally figured this out. aspnetcore only handles 1 scheme by design. So to handle multiple schemes we needed to implement a custom scheme.

We used this approach https://gist.github.com/profet23/da146bfee5e2daa45bc4f9746aba69e0 to select bewteen schemes

answered Jan 31 '18 at 16:48

Jason Meckley

7,589
1
24
45

I'm in a very similar situation and I'm a bit confused by your sentence "aspnetcore only handles 1 scheme by design". Is this true? The official docs/samples on msdn/github use multiple auth schemes. – qwertoyo May 23 '18 at 08:25
this appeared to be true at the time we were implementing authentication. This was also new to us and we were figuring out as we went along. this worked for us and we have not revisited our solution since it is working. – Jason Meckley May 23 '18 at 14:53
1

In the meantime I was able to configure 3 schemes :) 2 with JWT and 1 with amx. So it's indeed possible now, this question lead me on the right path: https://stackoverflow.com/questions/49694383/use-multiple-jwt-bearer-authentication – qwertoyo May 23 '18 at 15:15
@JasonMeckley what redirect_uri did you configure for hangfire dashboard authentication? I'm getting "invalid redirect_uri" errors. Wondering where to find out correct/expected redirect uri for hangfire – Zeeshan Mar 28 '22 at 09:48

aspnetcore 2.0 JWT and Open ID Connect Authentication in same site

1 Answers1