2

I have an WebApi (DemoService). I protect it with the IdentityServer4. If I request the Api with a Bearer token my DemoService makes some requests to be sure that I am allowed to access the DemoService.

  1. GET http://192.168.178.20:5200/.well-known/openid-configuration
  2. GET http://192.168.178.20:5200/.well-known/openid-configuration/jwks

In the default scenario my DemoService authorizes against only one IdentityServer4 and everthing works well. Is it possible to make the URL (192.168.178.20:5200) of the IdentityServer4 flexible, to authorize against a second IdentityServer4? Or is it possible to add a Second IdentityServer4.

Here is my Startup.cs:

namespace DemoService
{
    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddMvcCore()
                .AddAuthorization()
                .AddJsonFormatters();

            services.AddAuthentication("Bearer")
                .AddIdentityServerAuthentication(options =>
                {
                    // can I decide in the current
                    // Request which Authority to use?
                    // I want to switch the url between two
                    // IdentityServers
                    options.Authority ="http://192.168.178.20:5200"; 
                    options.RequireHttpsMetadata = false;

                    options.ApiName = "DemoService";
                });

            //// If I try to add a second IdentityServer I
            //// get the following failure:
            //// System.InvalidOperationException: 'Scheme already exists: BearerIdentityServerAuthenticationJwt'
            // services.AddAuthentication("Bearer")
            //     .AddIdentityServerAuthentication(options =>
            //     {
            //         options.Authority ="http://localhost:5000"; 
            //         options.RequireHttpsMetadata = false;
            //         options.ApiName = "DemoService";
            //     });


        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }

            app.UseAuthentication();

            app.UseMvc();
        }
    }
}
McGuireV10
  • 9,572
  • 5
  • 48
  • 64
user606249
  • 71
  • 3
  • So you want to authenticate against two different identity servers? – Linda Lawton - DaImTo Mar 28 '18 at 12:02
  • 1
    Try changing the name of your second scheme, the error message is just telling you that you can't registered two schemes under the name "Bearer". The name you assign doesn't control how the scheme is used, by the way. If that still doesn't work, try registering them with the generic `AddOpenIdConnect` config instead of the IdentityServer-specific one. – McGuireV10 Mar 28 '18 at 12:03
  • @DalmTo: Yes the user should have the choice to authenticate against two different identity servers – user606249 Mar 28 '18 at 13:08
  • @McGuireV10: You are right. I can rename Bearer in Bearer4 and it works fine. If I add the second IdentityServer4 in the pipline It seems that it tries to authenticate against the wrong IdentityServer4 (the wrong kid). Here ist the failure: Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: 'IDX10501: Signature validation failed. Unable to match 'kid': '4c301c179f1a2295f73d3050869b68cf', token: '{"alg":"RS256","typ":"JWT","kid":"4c301c179f1a2295f73d3050869b68cf"}.{"nb... – user606249 Mar 28 '18 at 13:18
  • Could the AddIdentityServerAuthentication() or JwtBearerHandler read the iss if it matches options.Authority? – user606249 Mar 28 '18 at 13:56
  • 1
    I don't have an answer and don't have time to set up a whole new ID4 server, but I'm curious about why you'd need two servers? This sounds like what we call an [xy problem](https://meta.stackexchange.com/a/66378/379425). – McGuireV10 Mar 28 '18 at 14:55
  • The usecase: We have an Api (DemoService) and an IdentityServer4 to protect the Api. We have a customer/retailer with its own IdentityServer. The customer wants to use the Api (DemoService) but he do not want to share its user database. – user606249 Mar 28 '18 at 15:28

0 Answers0