Authorization with multiple authentication schemes

Question

I'm using this way of adding multiple authorization in my ASP.NET Core API (v2.1)

Here is my code:

public void ConfigureServices(IServiceCollection services)
{

    const string OtherSchema = "MyOtherSchema";

    services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options =>
    {
        options.TokenValidationParameters = GetFirstTokenValidationParameters();
    })
    .AddJwtBearer(OtherSchema, options =>
    {
        options.TokenValidationParameters = GetSecondTokenValidationParameters();
    });

    services.AddAuthorization(options =>
    {
        options.DefaultPolicy =
            new AuthorizationPolicyBuilder()
                .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme, OtherSchema)
                .RequireAuthenticatedUser()
                .Build();
    });

And I decorated my endpoints with [Authorize] attribute. Now the problem is just the default schema's token authorized (first) and MyOtherSchema's token is unauthorized (second).

Even if I swap the schemes in AddJwtBearers still default schema's token authorized (second) and MyOtherSchema's token is unauthorized (first).

What I missed?

It won't validate all your authentication schemes at once. Why don't you merge these schemes to one if you need criteria from both? — Vidmantas Blazevicius, Jul 30 '19 at 15:30
Can you show how you check whether each scheme was authenticated? — poke, Jul 30 '19 at 15:55

Authorization with multiple authentication schemes

0 Answers0