0

I want different controller methods authenticated by different JWT.

Startup.cs looks like:

            services
            .AddAuthentication()
            .AddJwtBearer("Schema1", options =>
            {
                ...
                // use JWT Authentication with secretKey1
                var issuerSecretKey = "secretKey1";
                options.TokenValidationParameters.IssuerSigningKey = new SymmetricSecurityKey(
                    Encoding.ASCII.GetBytes(issuerSecretKey));
            })
            .AddJwtBearer("Schema2", options =>
            {
                ...
                // use JWT Authentication with secretKey2

                var issuerSecretKey = "secretKey2";
                options.TokenValidationParameters.IssuerSigningKey = new SymmetricSecurityKey(
                    Encoding.ASCII.GetBytes(issuerSecretKey));
            });

        services.AddAuthorization(options =>
        {
            options.DefaultPolicy = new AuthorizationPolicyBuilder()
                .RequireAuthenticatedUser()
                .AddAuthenticationSchemes("Schema1", "Schema2")
                .Build();
        });

Controller

[Authorize(AuthenticationSchemes = "Schema1")]
public ActionResult Method1(int id) 
{ 
  //some code 
}


[Authorize(AuthenticationSchemes = "Schema2")]
public ActionResult Method2(int id) 
{ 
  //some code 
}

After that I take Postman and execute the request to Method1 with JWT by secretKey2, but it successfully passes authorization! I used this answer https://stackoverflow.com/a/49706390/11593189

What should I do to authorizing Method1 using JWT by secretKey1, and authorizing Method2 using JWT by secretKey2? Maybe I should use additional mechanisms, such as Policy or Role?

Бадалов Бадал
  • 13
  • 3
  • According to [this github issue](https://github.com/dotnet/aspnetcore/issues/2827), authentication schemes are case sensitive, try changing "schema2" to "Schema2" in Authorize Attribute – romfir Apr 14 '20 at 18:56
  • Sorry, I’m sealed up. I am using Schema1 and Schema2 in the controller – Бадалов Бадал Apr 14 '20 at 18:58
  • Did you successfully authenticate with an authentication scheme different to `"Bearer"`? I was having issues with that exact problem and was able to resolve it only with a work-around. See [my question](https://stackoverflow.com/questions/73618495/defining-a-webapi-with-two-jwt-authentication-schemes-does-not-work). – Paul Kertscher Sep 06 '22 at 10:59

1 Answers1

0

You can use AddPolicy to add required Schemes to each Policy like this

.AddAuthorization(options =>
            {
                options.AddPolicy("Policy1", policy =>
                 {
                     policy.AddAuthenticationSchemes("Schema1");
                     policy.RequireAuthenticatedUser();
                 });
                options.AddPolicy("Policy2", policy =>
                 {
                     policy.AddAuthenticationSchemes("Schema2");
                     policy.RequireAuthenticatedUser();
                 });
            });

then use the Policy instead of AuthenticationSchemes in Authorize attributes

[Authorize(Policy = "Policy1")]
public ActionResult Method1(int id) 
{ 
  //some code 
}

[Authorize(Policy = "Policy2")]
public ActionResult Method2(int id) 
{ 
  //some code 
}

in this case Method1 has required Schema1 and Method2 has required Schema2

Farhad Zamani
  • 5,381
  • 2
  • 16
  • 41