I am building an ASP.NET Core Web API that will be secured by Azure AD (secured via app.UseJwtBearerAuthentication
)
I am building an ASP.NET Core MVC controller (secured by app.UseOpenIdConnectAuthentication
) which calls that WebAPI.
I am trying to implement the authentication flow as described in the OpenID Connect Basic Client Implementer’s guide.
The sample code I find for this pattern.
one example is here:
/active-directory-dotnet-webapp-webapi-openidconnect/blob/master/TodoListWebApp/App_Start/Startup.Auth.cs)
is using .NET (not .NET Core) with OWIN.
You use the OnAuthorizationCodeReceived
method and call AcquireTokenByAuthorizationCodeAsynch
to get the token you’ll use in your request to the WebAPI.
When I try to build the analogous pattern in ASP.NET Core MVC, I see the following:
- When I configure MVC’s app.
UseOpenIdConnectAuthentication
with defaults, then I can log into the system, but I don’t get an authorization code back. The Event that fires for me is theOnTokenValidated
event instead of theAuthorizationCodeReceived
event shown above. It has an identity and a token, which is great. - When I configure MVC’s app.
UseOpenIdConnectAuthentication
response-type = “code”
, then I get a code back, theOnAuthorizationCodeReceived
event fires, but I get no identity back.
[My azure application manifest was set up for oauth2AllowImplicitFlow: true
. In this case, the user authentication and token generation are compressed into a single step, which is not as secure as I need, so I set to false.]
After further investigation, I learned that the Asp.Net Core infrastructure is designed to handle multiple separate authentication middleware entries, and that
Microsoft.AspNetCore.Authentication.JwtBearer / JwtBearerHandler.cs
is coded to throw a 'not allowed' error if you try to use the SignIn
workflow with a JwtBearer configuration.
Therefore, it looks like I will have to follow that multiple middle ware approach. One cookie-based middleware for the login, and one bearer-token-based middleware for the bearer token to access services linked to this App. (instead of the model from the OWIN sample where the call the to service is done after receiving the authentication code)
This feature (multiple authentication middlewares) is described in https://docs.asp.net/en/latest/security/authorization/limitingidentitybyscheme.html
Does anyone have an example for this? Or am I still thinking about this wrong?