How can I use authentication handlers for both Microsoft Account and ADFS in the same application?

Question

We have a .NET Core web application that we have installed on several clients. We use the appsettings file to configure slight differences between clients, such as database connection. And we have been using Microsoft Account authentication for each client.

Now we have a client that wants us to use ADFS authentication. Ideally, we would like to be able to configure this using our appsettings file, but I'm not sure how to do this. So, how can we use both the Microsoft Account and the ADFS authentication, and specify which to use? Below is the authentication portion of my startup file. I have omitted a few things for confidentiality reasons. I don't know if I need all of this:

services.AddAuthentication().AddMicrosoftAccount(microsoftOptions =>
            {
                microsoftOptions.ClientId = Configuration["Authentication:Microsoft:ApplicationId"];
                microsoftOptions.ClientSecret = Configuration["Authentication:Microsoft:Password"];
                microsoftOptions.AuthorizationEndpoint = Configuration["Authentication:Microsoft:OAuth"];
                microsoftOptions.TokenEndpoint = Configuration["Authentication:Microsoft:Token"];
                microsoftOptions.CallbackPath = new PathString("/auth/callback");
                microsoftOptions.UsePkce = false;
            }).AddWsFederation(options =>
            {
                // MetadataAddress represents the Active Directory instance used to authenticate users.
                options.MetadataAddress = "Omitted";

                // Wtrealm is the app's identifier in the Active Directory instance.
                // For ADFS, use the relying party's identifier, its WS-Federation Passive protocol URL:
                options.Wtrealm = "Omitted";

                // For AAD, use the Application ID URI from the app registration's Overview blade:
                //options.Wtrealm = "api://bbd35166-7c13-49f3-8041-9551f2847b69";
            });

Answer 1

If i get the question right, what we're aiming to was how to make use of multiple authentication in .net web application.

To make it to work, understanding the output of Authentication step is was to build User property of HttpContext is important (after process various steps of verification, ofcouse).

So, multiple authentication process won't work with each other side-by-side by default. We can make a custom authentication handler to make it possible, but that would make authentication ingredients tightly couple together.

For example, If we make our move to create a MsAuth+WsFedAuthenticationHandler that would take MsAuth and WsFed as raw material, then if Google authentication should be required by client afterward. That's not gonna work out of the box, but rather to write a modification to a new MsAuth+WsFed+GoogleAuthAuthenticationHandler. Which is really cumbersome.

Instead, We should make our move as create a custom PolicyScheme that's would responsible for choosing which AuthenticationScheme that would resolve request authentication. For example:

services
    .AddAuthentication(opts => opts.DefaultScheme = "MyElectedAuthenticationScheme")
    .AddMicrosoftAccount()
    .AddWsFederation()
    .AddPolicyScheme("MyElectedAuthenticationScheme", "My custom authentication electing logic process"
        , opts => {
            // The purpose of this was just some logic to choose the right authentication scheme to handle out request.
            opts.ForwardDefaultSelector = ctx => ctx.Request.Headers.ContainsKey("some header that only Microsoft Accout validating have") ? "Microsoft Account Authentication scheme goes here" : "Ws Federation Authentication scheme goes here";
        });

Then, with this approach, make use of as much authentication provider as it needed, by just register them and build a reasonale election logic to choose the right authentication scheme for every request. Then we would be happy for quite a long time.