Scribd
Upload
40 views

ASP NET Multiple Authentication 1690214881

This document discusses how to implement multiple authentication schemes in an ASP.NET API to validate access tokens from different identity providers. It describes adding JWT bearer authentication for two identity servers, and a custom authentication handler for non-JWT tokens. The key is to use AddPolicyScheme to detect the scheme for each request and redirect to the appropriate handler, rather than relying on a default.

Uploaded by

Nenad Lackovic
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
40 views

ASP NET Multiple Authentication 1690214881

This document discusses how to implement multiple authentication schemes in an ASP.NET API to validate access tokens from different identity providers. It describes adding JWT bearer authentication for two identity servers, and a custom authentication handler for non-JWT tokens. The key is to use AddPolicyScheme to detect the scheme for each request and redirect to the appropriate handler, rather than relying on a default.

Uploaded by

Nenad Lackovic
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

A DEEP VIEW

ASP.NET:
Multiple
Authentication
Schemes
How we can validate multiple
tokens with different providers
Saeed Esmaeelinejad
in the API?
Core Authentication

Concepts Authentication is the process of determining a user's identity.


Authentication is responsible for providing the ClaimsPrincipal for authorization to
make permission decisions. (If the token not valid then throw Unauthorized 401)
AUTHENTICATION
AUTHORIZATION Authorization
AUTHENTICATION-SCHEME

Authorization is the process of determining whether a user has access to a resource


(If the user doesn't have access then throw Forbidden 403).

Authentication Scheme

The authentication scheme can select which authentication handler is responsible for
generating the correct set of claims.
An authentication scheme is a name that corresponds to:
An authentication handler.
Options for configuring that specific instance of the handler.

The registered authentication handlers and their configuration options are called
"schemes".
Scenario
We have an API that supports authentication but the issue is, the access tokens may
come from different providers and the API should be able to validate all of them.
The tokens are generated by three providers:
1- IdentityServerA 2- IdentityServerB 3- Custom token (not JWT)
A simple implementation for one identity server (A)
In ASP.NET, authentication is handled by the
authentication service, IAuthenticationService,
which is used by authentication middleware. The
authentication service uses registered
authentication handlers to complete
authentication-related actions.

Authentication schemes are specified by calling


a scheme-specific extension method after a call
to AddAuthentication, such as AddJwtBearer.

When you say AddJwtBearer, it means the token


must be in JWT format
(header.payload.signature).

It will use the built-in authentication handler to


validate tokens based on given options, when
you don't specify the scheme name, it will use
the default name: Bearer

So far so good, let's go to add IdentityServerB :)


Add second authentication scheme: identity server (B)

As we saw, for adding IdentityServerA we used


the AddJwtBearer extension since it is JWT
token.

So we can do the same for IdentityServerB but


here we need to set the scheme name because
if not set, it will set the default name: Bearer
and you will get a run time exception saying:

System.InvalidOperationException: 'Scheme
already exists: Bearer'

Currently, we have 2 authentication schemes.

But how about the third one: CustomToken!


because it's not a JWT token!

No worries, let's go for it ...


Add Custom authentication handler
Since we can not use AddJwtBearer extension, we
need to use AddScheme method which needs a
custom authentication handler.

Before that, the built-in authentication handler


was doing it for us (by using AddJwtBearer), but
now, we have to implement all logic for validating
tokens by using AuthenticationHandler<T>.

The idea is simple, we get a token from the header


and check it with the database.

The point is to prepare AuthenticateResult which


tells the Asp.net pipeline to allow users to move
on or throw 401.

If the token was valid then we need to prepare


claims and set them for authorization checking
(like setting Roles or Policies)

Now we can have 3 authentication scheme ...


Add all authentication schemes
Oh Oh wait, it doesn't work properly...
When we call the API, all tokens will check by IdentityServerA! But why?

If you check the previous page again, you see this option in the AddAuthetication:

options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;

And the IdentityServerA scheme name is


JwtBearerDefaults.AuthenticationScheme (Bearer).
So by default, all requests go to the IdentityServerA
which is not correct.

There are two approaches to handling that.


1- Specifying the AuthenticationSchemes
in the Authorize attribute:

We can change the Authorize attribute and tell it, for


this specific route you need to use this scheme!

But it can be annoying, is there a better way?


Hmm yes, come with me to finish it :)
Life saver: AddPolicyScheme
We need to find a way that detects the scheme name
for every request and redirects the request to the
appropriate authentication scheme.

By using the AddPolicySheme extension method we


can do it, actually, it will add another scheme that is
responsible to choose the correct authentication
scheme.
Now every request first goes to the policy scheme and
then will go to one of our 3 authentication schemes.

You made it :)
Thanks for reading :)
Saeed Esmaeelinejad

You might also like