I have an MVC web app and an exposed API that I want to use cookieauth for the web app and JWT for the exposed API. I am testing the API and it always seems to default to the cookie auth handler in the middleware for some reason.
Below in the startup, I added two event handlers just to test breakpoints and the API hits the cookie event handler instead of the JWT handler. I specify the scheme in the action so not really sure why it's not working.
Startup.cs Configure Services
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(20);
options.SlidingExpiration = true;
options.AccessDeniedPath = "/Error/Index";
options.LoginPath = "/Login/Login";
options.Cookie.Name = "CookieAuthentication";
options.Cookie.HttpOnly = true;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.Events.OnRedirectToLogin = e =>
{
return Task.CompletedTask;
};
})
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = Environment.GetEnvironmentVariable("JwtIssuer") ?? Configuration["Jwt:Issuer"],
ValidAudience = Environment.GetEnvironmentVariable("JwtIssuer") ?? Configuration["Jwt:Issuer"],
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Environment.GetEnvironmentVariable("JwtKey") ?? Configuration["Jwt:Key"])),
};
options.Events.OnChallenge = e =>
{
return Task.CompletedTask;
};
});
}
}
StartUp Configure
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseAuthentication();
app.UseAuthorization();
}
As an example, I do this with my API and doesn't hit the correct scheme in the startup
[HttpGet]
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
public IActionResult Foo()
{
return Ok();
}
CodePudding user response:
you have to register 2 auth scheme like that:
//Cookie
_ = services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
}).AddCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(20);
options.SlidingExpiration = true;
options.AccessDeniedPath = "/Error/Index";
options.LoginPath = "/Login/Login";
options.Cookie.Name = "CookieAuthentication";
options.Cookie.HttpOnly = true;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.Events.OnRedirectToLogin = e =>
{
return Task.CompletedTask;
};
});
//Jwt
_ = services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = Environment.GetEnvironmentVariable("JwtIssuer") ?? Configuration["Jwt:Issuer"],
ValidAudience = Environment.GetEnvironmentVariable("JwtIssuer") ?? Configuration["Jwt:Issuer"],
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Environment.GetEnvironmentVariable("JwtKey") ?? Configuration["Jwt:Key"])),
};
options.Events.OnChallenge = e =>
{
return Task.CompletedTask;
};
});
And decorate your actions with the auth scheme you need:
[HttpGet]
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
public IActionResult Foo()
{
return Ok();
}
[HttpGet]
[Authorize(AuthenticationSchemes = CookieAuthenticationDefaults.AuthenticationScheme)]
public IActionResult FooCookie()
{
return Ok();
}