How do I issue the corresponding Bearer and Cookie identity in ASP.NET with multiple Authorization schemes? - McMap

About

How do I issue the corresponding Bearer and Cookie identity in ASP.NET with multiple Authorization schemes?

Asked 1/2, 2017 at 17:3 Answered 6/3, 2017 at 16:35

asp.net asp.net-mvc asp.net-core katana asp.net-authentication

S

1

5

This documentation describes in part how to use more than one authentication scheme:

In some scenarios, such as Single Page Applications it is possible to end up with multiple authentication methods. For example, your application may use cookie-based authentication to log in and bearer authentication for JavaScript requests. In some cases you may have multiple instances of an authentication middleware. For example, two cookie middlewares where one contains a basic identity and one is created when a multi-factor authentication has triggered because the user requested an operation that requires extra security.

Example:

app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
    AuthenticationScheme = "Cookie",
    LoginPath = new PathString("/Account/Unauthorized/"),
    AccessDeniedPath = new PathString("/Account/Forbidden/"),
    AutomaticAuthenticate = false
});

app.UseBearerAuthentication(options =>
{
    options.AuthenticationScheme = "Bearer";
    options.AutomaticAuthenticate = false;
});

However it only describes how to use Bearer or Cookie auth. What isn't clear is what other combinations are valid, or how to properly issue bearer or cookies to the client.

How can that be accomplished?

Strychninism answered 1/2, 2017 at 17:3 Comment(3)

That's just an example. You can create your own auth middleware, add it to the list above, and use in any combination, e.g. one controller may allow authenticating using any of 3 schemes, another may allow only one of them – Dripps 7/2, 2017 at 14:54

Also you can add e.g."Cookie" middleware twice with different AuthenticationScheme name and other settings – Dripps 7/2, 2017 at 14:57

Why don't you put in "the middle" Identity Server 4.0? I did and it saved me tons of time plus it answer most of your questions with Samples and Patterns: docs.identityserver.io – Catron 24/2, 2017 at 8:24

W

5

One common use case for this which large sites like Facebook, Google etc. use is to use multiple cookie authentication middleware's and set one of them to be the default using AutomaticAuthenticate

app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
    AuthenticationScheme = "InsecureLongLived",
    LoginPath = new PathString("/Account/Unauthorized/"),
    AccessDeniedPath = new PathString("/Account/Forbidden/"),
    AutomaticAuthenticate = true
});
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
    AuthenticationScheme = "SecureAndShortLived",
    LoginPath = new PathString("/Account/Unauthorized/"),
    AccessDeniedPath = new PathString("/Account/Forbidden/"),
    AutomaticAuthenticate = false
});

The default one is long lived and used for non-critical auth scenarios e.g. on Facebook, this may be to view your profile page.
The more secure and short lived on is used for security critical user actions like changing your password or profile information.

This gives you the convenience of not having to login all the time with a long lived cookie but as soon as you need to do something potentially dangerous, you switch to doing auth with a much shorter lived and thus more secure cookie which requires the user to login again.

Watch answered 6/3, 2017 at 16:35 Comment(5)

Great answer and it really helped me. But I noticed that this documentation (learn.microsoft.com/en-us/aspnet/core/security/authorization/…) says that none of them should have AutomaticAuthenticate set to true. I like this approach a lot, but can it be used for native JWT based scenarios? I guess the native client would have to manage keeping both tokens and figuring it out, because the server would just return a 401 and you wouldn't know which policy to attempt re-authentication. – Australopithecus 15/4, 2017 at 16:43

Muhammad, how do you switch back to using the less secure cookie when the you're accessing the less secure page and the more secure cookie has expired? – Australopithecus 16/4, 2017 at 19:31

@nhwilly Look into authorization policies. You can set one up for each cookie auth middleware by setting the AuthenticationScheme. Then you just use the right policy using the Authorize attribute. – Watch 17/4, 2017 at 8:21

See my "answer" below. I can't get code and other bits in this tiny comment. :0 – Australopithecus 17/4, 2017 at 17:0

Ok, I wrote up this long post and then discovered that this is being actively worked on by the MS guys. I'm going to give it a rest and hope they write up a detailed explanation of how to do it. Thanks for your help... – Australopithecus 17/4, 2017 at 19:32

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.