'How to prefer one authentication scheme over another?
I have two JwtBearer schemes, each one can use cookie in addition to authorization header
.AddJwtBearer(OAuthSchemeConstants.SchemeName, options =>
{
options.Authority = oauthServerUrl;
options.AutomaticRefreshInterval = new TimeSpan(24, 0, 0);
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false,
ValidateIssuer = true,
ValidIssuer = oauthServerUrl,
ClockSkew = TimeSpan.Zero,
NameClaimType = AuthenticationConstants.NameClaimType,
};
options.Events = new JwtBearerEvents()
{
OnMessageReceived = (context) =>
{
var authHeader = context.Request.GetAuthorizationHeader();
var authCookie = context.Request.GetCookie(OAuthSchemeConstants.CookieName);
if (string.IsNullOrEmpty(authHeader) && !string.IsNullOrEmpty(authCookie))
{
context.Token = authCookie;
}
return Task.CompletedTask;
},
}
});
.AddJwtBearer(CustomSchemeConstants.SchemeName, options =>
{
options.RequireHttpsMetadata = false;
options.SaveToken = true;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = signingKey,
ValidateIssuer = false,
ValidateAudience = false,
ClockSkew = TimeSpan.Zero,
NameClaimType = AuthenticationConstants.NameClaimType
};
options.Events = new JwtBearerEvents()
{
OnMessageReceived = (context) =>
{
var authHeader = context.Request.GetAuthorizationHeader();
var authCookie = context.Request.GetCookie(CustomSchemeConstants.CookieName);
if (string.IsNullOrEmpty(authHeader) && !string.IsNullOrEmpty(authCookie))
{
context.Token = authCookie;
}
return Task.CompletedTask;
}
};
});
When cookies for both schemes are present, I want to prefer OAuthSchemeConstants.SchemeName over CustomSchemeConstants.SchemeName.
My default authorization policy looks like this:
var policyBuilder = new AuthorizationPolicyBuilder(
OAuthSchemeConstants.SchemeName,
CustomSchemeConstants.SchemeName
);
policyBuilder = policyBuilder.RequireAuthenticatedUser();
return policyBuilder.Build();
What I tried:
- setting options.DefaultAuthenticationScheme / options.DefaultChallengeScheme to OAuthSchemeConstants.SchemeName in .AddAuthentication()
- change order in which schemes are added to authentication builder
- change order of schemes in AuthorizationPolicyBuilder
But no matter what, when cookies for both schemes are present, CustomSchemeConstants.SchemeName is being used for authentication.
I need this because I am migrating authentication scheme to OAuthSchemeConstants.SchemeName and I need both schemes to be working but prefer OAuthSchemeConstants.SchemeName over CustomSchemeConstants.SchemeName.
CustomSchemeConstants.SchemeName is just "MyCustomScheme" and OAuthSchemeConstants.SchemeName is just "MyOAuthScheme".
So when both schemes are "valid" (valid jwts in cookies are present for both schemes) how I can control which scheme is being used for authentication?
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|