5

I need the Authorize attribute in our Controller can accept two different tokens.

One token, is provided from one private ADFS, and other token is provided from AzureAd.

Several Ionic clients go to over ADFS, other Ionic clients go to over Azure AD

My dev scenario: ASP.NET Core 2.2 Web API

My actual startup.cs (abbreviated)

ConfigureService()
{
    services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer((options =>
                {
                    options.Audience = Configuration["Adfs:Audience"];
                    options.Authority = Configuration["Adfs:Issuer"];
                    options.SaveToken = true;
                    options.TokenValidationParameters = new  TokenValidationParameters
                    {
                        ValidateIssuer = false
                    };
                }));
}

I need here the other Authentication with AzureAD. How?

The Configure method of Startup.cs

Configure(…)
{
     app.UseAuthentication()
}

With this code, only can access the ADFS Token and this users, can obtains result from the controllers. However, the AzureAD user's can't obtain access

I don't know how make this code for double token authorization, and our controllers can response if one token is from ADFS or other token is from AzureAD

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Tulio
  • 61
  • 1
  • 5

1 Answers1

6

You can set multiple JWT Bearer Authentication with different schema name :

services.AddAuthentication()
    .AddJwtBearer("ADFS",options =>
    {
    options.Audience = Configuration["Adfs:Audience"];
    options.Authority = Configuration["Adfs:Issuer"];
    options.SaveToken = true;
    options.TokenValidationParameters = new TokenValidationParameters
    {
            ValidateIssuer = false
    };
    })
    .AddJwtBearer("AAD", options =>
    {
        //AAD jwt validation configuration
    });

If you want to make your controller/action to accept two jwt tokens , tokens from AAD or ADFS are ok to access your controller/action , you can make a policy to let both the AAD and ADFS authentication schemes tried to authenticate the request :

services
.AddAuthorization(options =>
{
    options.DefaultPolicy = new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .AddAuthenticationSchemes("AAD", "ADFS")
        .Build();  
});

In addition , if you want to know which schema the token is from , you can check the particular claim in user's identity , or directly add authentication schema value to user claims in events :

options.Events = new Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerEvents
            {
                OnTokenValidated = (context) =>
                {
                    var claimsIdentity = (ClaimsIdentity)context.Principal.Identity;
                    //add your custom claims here
                    claimsIdentity.AddClaim(new Claim("schema", "AAD"));

                    return Task.FromResult(0);
                }
            };

And get in action after authentication :

var result = User.Claims.Where(c=>c.Type=="schema").FirstOrDefault().Value;
Nan Yu
  • 26,101
  • 9
  • 68
  • 148
  • Tx, Nan. Tx for tour help. – Tulio Aug 01 '19 at 06:27
  • @Tulio , if the reply helps. please mark as answer which help others who meet same problem – Nan Yu Aug 01 '19 at 06:28
  • ¿I can use de AddJwtBearer for both situations?. Maybe for AzureAD the .AddAzureAdBearer(options => Configuration.Bind("AzureAd", options)) is better approach? (Extensión Method from AuthenticationBuilder). – Tulio Aug 01 '19 at 06:34
  • AddAzureAdBearer is wrapper for AddJwtBearer for AAD specific , you can use either one . – Nan Yu Aug 01 '19 at 06:35
  • That related to your adfs token configuration .something like ` .AddJwtBearer(options => { options.Authority = "https://.../adfs"; options.Audience = "urn:microsoft:userinfo"; // taken from client token using jwt.io options.MetadataAddress = "adfs metadata address"; options.TokenValidationParameters = new TokenValidationParameters() { ValidIssuer = "https://.../adfs/services/trust", ValidAudiences = new List { "web app id" }, };}` – Nan Yu Aug 01 '19 at 08:28