Multiple authentication shemes for API

[Luke-1988]

I am trying to support multiple authentication methods for my API. Similar to Shawn Wildermuth's post here except I want to support both Cookies, JWT (and also HTTP Basic Auth and Custom Acces Keys*) for single API.

In ASP.NET Core 1.0 this was done by multiple authentication middlewares:

app.UseMiddleware<Luke1988.API.Authentication.CookiesAuthenticationMiddleware>();
app.UseMiddleware<Luke1988.API.Authentication.HttpBasicAuthenticationMiddleware>();
app.UseMiddleware<Luke1988.API.Authentication.JwtBearerAuthenticationMiddleware>();
app.UseMiddleware<Luke1988.API.Authentication.CustomAccessKeysAuthenticationMiddleware>();

where each middleware checks for its Authorization "medium" (cookies, Authorization header), and if present, authenticate, else continue request. Very simple, works like a charm.

When migrating to ASP.NET Core 2.0, this multiple authentication middlewares concept is depreciated and I should use:

services.AddAuthentication()
        .AddCookie();
        .AddJwtBearer(cfg =>
        {
          cfg.TokenValidationParameters = new TokenValidationParameters()
          {
            ValidIssuer = _config["Tokens:Issuer"],
            ValidAudience = _config["Tokens:Audience"],
            ValidateIssuerSigningKey = true,
            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config["Tokens:Key"])),
            ValidateLifetime = true
          };
        });

This simplified setup is not working. When I send Authorization header for JWT, user is not loaded. Authentication is "bypassed".

Addind Authorize attribute with schema to controller makes JWT working, but when I send Cookies in request, Cookies Auth is "bypassed" (this makes sense).

[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
  [Route("api/[controller]")]
  public class OrdersController : Controller

No matter what I do, I cannot make multiple authentication schemes on same controller working the way I did in Core 1.0.

Any ideas?

*, ** - both authentication methods are set in customer's project requirements for his internal services integrations.

[Tratcher]

Authenticating multiple is doable with some extra effort. Try a middleware like this:

app.Use(async (context, next) =>
{
   var result = await context.AuthenticateAsync(CookieAuthenticationDefaults.AuthenticationType);
   if (!result.Succeeded)
   {
      result = await context.AuthenticateAsync(JwtBearerDefaults.AuthenticationType);
   }
   if (!result.Succeeded)
   {
      result = await context.AuthenticateAsync("Basic");
   }
   ...

   context.User = result.Principal;

   await next();
});

The larger problem comes when all of them are missing, which do you challenge for? You can't issue a challenge for all of them, the challenges for things like Cookies and JWT are incompatible. You should pick one and set that as the default in AddAuthentication.

Also, do you support any scenario where multiple forms of auth are present on one request? E.g. Cookies + anything else? Which takes precedence?

[Luke-1988]

Thank you Chris! You solution looks pretty good. I got a few comments:

You can't issue a challenge for all of them

I am building RESTful API. So, if no authentication at all, API respond with 401. If you are a developer using this API, pick available authentication you want and use it.

You should pick one and set that as the default in AddAuthentication.

I am afraid this will make that one I pick as default a mandatory (required) Authentication, and will result in 401 (or Challenge) if not provided. Or not?

Which takes precedence?

Sad to say that but hardcoded. As well as your solution, as well as my Core 1.0 version.

Just to confirm, your proposed solution build together with existing code:

services.AddAuthentication()
        .AddCookie();
        .AddJwtBearer(cfg =>
        {
          cfg.TokenValidationParameters = new TokenValidationParameters()
          {
            ValidIssuer = _config["Tokens:Issuer"],
            ValidAudience = _config["Tokens:Audience"],
            ValidateIssuerSigningKey = true,
            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config["Tokens:Key"])),
            ValidateLifetime = true
          };
        });


app.UseAuthentication();
app.Use(async (context, next) =>
{
   var result = await context.AuthenticateAsync(CookieAuthenticationDefaults.AuthenticationType);
   if (!result.Succeeded)
   {
      result = await context.AuthenticateAsync(JwtBearerDefaults.AuthenticationType);
   }
   if (!result.Succeeded)
   {
      result = await context.AuthenticateAsync("Basic");
   }
   ...

   context.User = result.Principal;

   await next();
});

[Tratcher]

Yes, that's the code layout I'd expect.

UseAuthentication calls AuthenticateAsync for the default scheme and sets User, but it does not reject unauthenticated requests. That's what Authorize is for.

[Luke-1988]

Chris, one more question.

I am going to implement Google & Facebook authentication as well. As far as I understand, both Google and Facebook AuthenticationHandlers do Challenge user by returning 302 and redirection to Google or Facebook login page with return url back to ASP.NET.

When user logs in via Google or Facebook login form, he or she is redirect back to return url with Google or Facebook login token. This token is automatically processed by current AuthenticationHandler in ASP.NET. When success, ASP.NET creates a cookie for this user with authentication between user and my app.

Do I understand the process?

Is this process override-able? If so, how can I handle that token and say I want it as a JWT or custom cookie?
This whole process with 302 and redirect is not suitable for a RESTful API and SPA (Angular, React, whatever).

Thanks

[Tratcher]

Yes, that's how the flow works, and yes it's not suitable for for Web APIs. For a WebAPI / SPA you'd use a client side SDK provided by Google or Facebook to get a JWT, then use JwtBearer to validate it on the server.

[cycbluesky]

Perfect! I'd like use multiple authentication shemes for web API. Cookie authentication for web site, Jwt for Mobile App, and accesstoken for parter system.

[John0King]

@Tratcher :( Who proivde the redirect ? the UseAuthentication() or context.AuthenticateAsync()
and what do u suggestion for a mvc page that has javascript to talk to a webAPI ? login twice ?

[Tratcher]

@John0King your question needs more context. No, UseAuthentication() and context.AuthenticateAsync() do not generate redirects, [Authorize] and ChallengeAsync can if you're using cookies or oauth.

You can uses a token server like IdentityServer4 to exchange your cookie for a JWT for use with WebApis. This should be transparent to the user.

[Eilon]

Closing because we believe we've answered the question. If people have new questions, please log a new issue with details. Thanks!

[Luke-1988]

@Tratcher thank you (ex post) very much, your solution works like a charm. Just to correct, see bellow:

this works:

app.UseAuthentication();
app.Use(async (context, next) =>
{

this works as well, and is a bit faster:

//app.UseAuthentication();
app.Use(async (context, next) =>
{

[Tratcher]

FYI app.UseAuthentication(); is required for some handlers to function properly such as cookies with sliding expiration, oauth, OIDC, etc.. JWT and windows auth are the only ones I'm aware of that don't need it.