What is the difference between AddJwtBearer and AddOpenIdConnect in .NET Core Authentication?

Question

I've been looking into the basics of .NET Core Authentication using Azure AD for an API that I'm building and I've been trying to find information about the authentication schemes. I get the difference between cookie and token based authentication but it seems to me that the JwtBearer and OpenIdConnect options are very similar in that they both work based on a token system.

I've done a lot of searching and I can't find anywhere that explains the differences between the two, in which scenarios you'd use one over the other or even the definitions of what these methods do. I've looked at a lot of tutorials online and even various YouTube videos and about 60% of them use AddJwtBearer and the others use AddOpenIdConnect to specify their authentication schemes. Could someone explain what these do and what the differences are?

Answer 1

You use AddJwtBearer to secure an API, meaning that the client of the API sends JWT-tokens to access the API and there is otherwise no human interaction.

AddOpenIdConnect you use to secure a web-application, where you have human interaction (login/logout...), because you typically redirect your user to your identity provider.

The image below shows what the JwtBearer handler do:

For further help when using AddOpenIdConnect / AddJwtBearer, then I have written a few related blog post:

• Troubleshooting JwtBearer authentication problems in ASP.NET Core
• Debugging OpenID Connect Claim Problems in ASP.NET Core
• Debugging JwtBearer Claim Problems in ASP.NET Core