4

See Update below

I'm using Azure AD B2C and I'd like my users to be able to log in thru my web app as well as be able to utilize JWT bearer tokens and call Web API methods from a mobile app.

I can get either authentication scheme to work by itself. For example, in my startup.cs I can do the following:

        services
            .AddAuthentication(AzureADB2CDefaults.AuthenticationScheme)
            .AddAzureADB2C(options => Configuration.Bind("AzureAdB2C", options));

which works as expected (a user can login on the web site, but JWT doesn't work).

Alternatively, I can instead use the following and then only JWT bearer tokens will work:

        services
            .AddAuthentication(AzureADB2CDefaults.JwtBearerAuthenticationScheme)
            .AddAzureADB2CBearer(options => Configuration.Bind("AzureAdB2C", options));

If I want either to work, I can do the following (with the help of https://stackoverflow.com/a/49706390)

        services
            .AddAuthentication()
            .AddAzureADB2C(options => Configuration.Bind("AzureAdB2C", options))
            .AddAzureADB2CBearer(options => Configuration.Bind("AzureAdB2C", options));

        services.AddAuthorization(options =>
        {
            options.DefaultPolicy = new AuthorizationPolicyBuilder()
                                    .RequireAuthenticatedUser()
                                    .AddAuthenticationSchemes(AzureADB2CDefaults.AuthenticationScheme, AzureADB2CDefaults.JwtBearerAuthenticationScheme)
                                    .Build();
        }

And now either will work. (edit: actually, they don't work completely)

HOWEVER, I also have this code:

        app.UseAuthentication();
        app.UseMiddleware<MyAfterAuthenticatedMiddleware>();
        app.UseAuthorization();

The problem is that when I use the combination of either authentication, when my middleware code runs, my user is not authenticated (in the middleware code) and has no claims, etc. but obtains them later in the pipeline.

What's happening here? And how can this be fixed?

It seems that when I don't specify a default authentication scheme--in order to have multiple schemes--the authentication is not happening until the authorization step in the pipeline.

I need my middleware to run after authentication and before authorization. How can I make that happen with the multiple authentication schemes?

UPDATE -- Solved! But there must be a better way!??

First of all, to the people who have created the .NET security stuff, I say kudos. It's important and it's difficult. However I do think there may be a lot of room for improvement.

Most developers dabble in security when they have to, and then go back to their "regular" job". Unless you work with it every day, it's tough to keep on top of. Every time you go back to it, everything's changed yet again.

It must be a common scenario: I want my users to be able to log in to my web site and interact with various web API methods. I would like them to also be able to access those same API methods via another means, such as a mobile app--where I'd be using JWT tokens, or equivalent.

This shouldn't be hard to make work.

However, I was tying myself into knots creating handlers for this and policies for that. One thing would work, but another thing wouldn't. Then when I thought things were right--I discovered some of the challenge and forbid logic didn't work as expected.

The built-in Authorization middleware has the ability to do authentication -- this was one of the early roads I went down, only to discover that it didn't fully work -- and it caused other problems for me, as described above.

In my opinion, authentication should not happen during authorization. Authentication should happen where it is expected--in authentication middleware. (My guess is that it was added in authorization in order to work around some other problem that presented itself years ago -- and perhaps still exists today)

Anyway--here is how I finally got things to work. It could be a lot cleaner and slicker and more flexible, but it works for my needs. And it is less of a hack than anything else I have seen. But is there a nicer, built-in class that could have done this for me?

My new question is this: is there a better way to get this done than how I've done it as described below?. It's hard to believe this is the best way.

In Startup.ConfigureServices I have now have the following:

services
   .AddAuthentication(AzureADB2CDefaults.AuthenticationScheme)
   .AddAzureADB2C(options => Configuration.Bind("AzureAdB2C", options))
   .AddAzureADB2CBearer(options => Configuration.Bind("AzureAdB2C", options));

I then also have:

services.AddHttpContextAccessor();
services.AddSingleton<IAuthenticationSchemeProvider, MyAuthenticationSchemeProvider>();

And finally, I have a new class:

public class MyAuthenticationSchemeProvider : AuthenticationSchemeProvider
{
    public MyAuthenticationSchemeProvider(IOptions<AuthenticationOptions> options, IHttpContextAccessor httpContextAccessor) : base(options)
    {
        HttpContextAccessor = httpContextAccessor;
    }

    protected MyAuthenticationSchemeProvider(IOptions<AuthenticationOptions> options, IDictionary<string, AuthenticationScheme> schemes, IHttpContextAccessor httpContextAccessor) : base(options, schemes)
    {
        HttpContextAccessor = httpContextAccessor;
    }

    private IHttpContextAccessor HttpContextAccessor { get; }

    private bool IsBearerRequest()
    {
        var httpContext = HttpContextAccessor.HttpContext;
        return httpContext.Request.Headers.ContainsKey("Authorization")
                && httpContext.Request.Headers["Authorization"].Any(x => x.ToLower().Contains("bearer"));
    }

    public async Task<AuthenticationScheme> GetMySchemeAsync()
    {
        return IsBearerRequest()
            ? await GetSchemeAsync(AzureADB2CDefaults.BearerAuthenticationScheme)
            : await base.GetDefaultAuthenticateSchemeAsync();
    }

    public override async Task<AuthenticationScheme> GetDefaultAuthenticateSchemeAsync()
    {
        return await GetMySchemeAsync();
    }

    public override Task<AuthenticationScheme> GetDefaultChallengeSchemeAsync()
    {
        return GetMySchemeAsync();
    }

    public override Task<AuthenticationScheme> GetDefaultForbidSchemeAsync()
    {
        return GetMySchemeAsync();
    }
}

Now I can use both kinds of authentication, the challenge & forbid work as expected. Why isn't there a built-in class that allows for switching between authentication schemes? Why does the authorization middleware attempt to authenticate with multiple schemes (I say it shouldn't do it at all), but not the authentication middleware?

Now this is here for anyone else who struggles with a similar issue.

Donny Kwitty
  • 327
  • 2
  • 15
  • Donny it would be helpful if you could post a complete example project repo. Can you link to a github repo for your project? – jbuch Jun 27 '20 at 02:36
  • @jbuch unfortunately i do not have it in github. – Donny Kwitty Jun 27 '20 at 13:55
  • Hi @DonnyKwitty Can you share your project or approach you followed. It would be helpful for us to help you in a better way. – Raghavendra beldona Jul 02 '20 at 17:05
  • 1
    Hi @Raghavendra-MSFTIdentity Unfortunately, I can't share the project. I solved my issue--to a certain degree. I'm just surprised I had to go about it the way I did--and that it wasn't obvious how to solve the problem. I simply wanted to be able to authenticate in either one of two ways--and as far as I can tell, the way I did it was the simplest. There seem to be a lot of "hacks" and work-arounds to make some security stuff work--and it seems to change every few months. – Donny Kwitty Jul 02 '20 at 21:11
  • Thanks for the confirmation – Raghavendra beldona Jul 02 '20 at 21:17

0 Answers0