-
Notifications
You must be signed in to change notification settings - Fork 600
Multiple authentication schemes and global filters (ASP.NET Core 2) #1559
Comments
Is it not possible to create something that makes a policy only applicable for provided set of routes? In the Katana world, one could at least just use middleware to accomplish seperation.
|
See #1546 (comment). Map almost worked with Core 1.x, but it won't work at all with the 2.0 design. |
Right, thanks. I ended up with something working setting it up like this.
|
@johnkors do you have git hub sample solution of Multiple Scheme and global filter ? |
@akashdeep1024 : In the comment above, there's a global filter |
@johnkors Sorry to revive this, but I can't find any reference to EDIT: Nevermind, my apologies. I see now it's a class available in the referenced issue. |
We did tweak things a bit starting in preview2, we enabled the forwarding in all schemes, so you can forward in all existing schemes (i.e. cookies, OAuth, google), AddVirtualScheme was renamed AddPolicyScheme for the scenario where you want a pure virtual scheme that isn't attached to any specific auth handler logic.
|
@HaoK Sounds amazing, can't wait to hack around with that. But I'm working on some production-bound code and need to figure out how to get something done now. Essentially I am using |
So you are basically doing two factor auth with Google + PIN/local password? You will just need to build that flow yourself, it shouldn't look that different than what the templates do today, if you didn't want to use identity to do the password verification you would just replaces those calls to your own password verification logic |
@HaoK, I have a different scenario for combining authentication methods that I'm wondering if it can be handled via VirtualSchemes or (even better) can be achieved without them? Due to the nature of our app (education software) we can have users coming in via a wide number of auth providers, many of them using OAuth 1.0 (specifically, LTI). Rather than always creating a new user account whenever we don't recognize a login and then having to deal with complex identity merges later, we want to invite 'new' users to identify themselves via OpenID (Google and Microsoft primarily since that covers most schools.) We could ask them for their U/P, except we don't do U/P - we have always preferred to only support login via 3rd party identity providers and don't really want to change that. So the scenario is that one authentication scheme (LTI/OAuth1.0) receives the user's identity info, recognizes that this identity is new to our system, and then forwards a challenge to our default scheme. Upon completion of that scheme (either successful auth or declining (i.e. NoResult)) we would ideally return to the original scheme to complete either creating a new user using the provided claims or adding an additional login to the existing user. Once all of that was complete, the final AuthenticationTicket would be returned and the request would process normally. |
Hi,
I'm struggling to get the following auth working in an OK manner, which of I find a quite common use case. I want to co-host a API and a UI within the same ASP.NET Core MVC 2 host, but keeping the authorization setup separate.
/api
Every route starting with
/api
should have JWT bearer auth requiring the tokens to contain a specific scope./anyotherurl
:Any other URI should use cookies and openid connect, and use a global filter forcing authenticated users, so I don´t need to add an
[Authorize]
attribute on every new UI controller added to the project now or later.Issue I'm facing
When I add global filters for cookies, they are applied to my API bits as well. This is undesirable.
I've tried using
IActionModelConvention
s , but it does not seem to do anything to globally applied filters (e.g if I add a global filter for OIDC, I cannot "remove" it from the API routes filters).Is there any other good way of seperating auth (APIs / UI) whilst also keeping the good parts of having global auth policies applied ..?
A
[DisableGlobalFiltersFor("/api")]
, or a convention that allows for rejecting global filters?The text was updated successfully, but these errors were encountered: