'Adding both WebApi and WebApp authentication

I have a Web API for which I want controllers to use Bearer token authentication. At the same time I want the Swagger UI to be protected by OIDC.

Scenario:

  1. Use policy "Bearer" for [Authorize] on controllers
  2. Use policy "OpenIdConnect" for Swagger UI (note: the UI, not the requests done in the UI)

I have created a minimal Web API project from the template, and added authentication:

var builder = WebApplication.CreateBuilder(args);
builder.Services.AddControllers();
builder.Services.AddMicrosoftIdentityWebApiAuthentication(builder.Configuration);
builder.Services.AddMicrosoftIdentityWebAppAuthentication(builder.Configuration);
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();
builder.Services.AddAuthorization(options =>
{
    // Need this for [Authorize] on controllers to use bearer token for authentication
    options.DefaultPolicy = new AuthorizationPolicyBuilder(JwtBearerDefaults.AuthenticationScheme)
        .RequireAuthenticatedUser()
        .Build();
});

var app = builder.Build();
app.UseAuthentication();
app.Use(async (context, next) =>
{
    if (context.Request.Path.StartsWithSegments("/swagger") && !(context.User.Identity?.IsAuthenticated ?? false))
    {
        await context.ChallengeAsync(OpenIdConnectDefaults.AuthenticationScheme);
    }
    else
    {
        await next();
    }
});
app.UseAuthorization();
app.UseSwagger();
app.UseSwaggerUI();
app.UseHttpsRedirection();
app.UseAuthorization();
app.MapControllers();
app.Run();

Documentation and another issue says the call order of AddMicrosoftIdentityWebApiAuthentication and AddMicrosoftIdentityWebAppAuthentication doesn't matter. I need to set a default authorization policy though, so controllers with the [Authorize] attribute will accept the "Bearer" policy.

This code seems to work, but what makes me unsure about this is that if I switch the order of AddMicrosoftIdentityWebApiAuthentication and AddMicrosoftIdentityWebAppAuthentication, the Swagger login redirect will create an infinite loop:

builder.Services.AddMicrosoftIdentityWebAppAuthentication(builder.Configuration);
builder.Services.AddMicrosoftIdentityWebApiAuthentication(builder.Configuration);

Here is a repo with a minimal reproducible example: https://github.com/kristofferjalen/MultipleAuth

asp.netazure-active-directory


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

Passing data from database containing new line breaks jquery

Creating .ICS files, adding to outlook

ASP.NET: HTTP Error 500.19 – Internal Server Error 0x8007000d

The configuration section cannot contain a CDATA or text element

Attempting to make enter button 'clickable'

automapper map interface to interface or object

How to show or hide contents of an aspx page based on current user's roles

The server response was: 5.7.0 Must issue a STARTTLS command first. i16sm1806350pag.18 - gsmtp

IIS 8.0 Detailed 500.0 Internal Server Error - IsapiModule Not Found

EntityDataSource - how to do WHERE Clause from different table

No authentication handler is registered for the scheme 'Cookies'. The registered schemes are: Application, Bearer, ASOS

How to use jquery in ASP.​NET Core

Create HTML table from a list

How to change Text of button in FileUpload control and set value to textbox

How to add project reference to ASP.NET Core 1.0 MVC project