Skip to content

Default Authentication Scheme Not Honored with JwtBearerDefaults.AuthenticationScheme in .NET 8.0 #58906

New issue
New issue
Closed
Closed
Default Authentication Scheme Not Honored with JwtBearerDefaults.AuthenticationScheme in .NET 8.0#58906
Labels
Needs: Author FeedbackThe author of this issue needs to respond in order for us to continue investigating this issue.Needs: ReproIndicates that the team needs a repro project to continue the investigation on this issuearea-security
@ManoNero

Description

@ManoNero
ManoNero
opened on Nov 13, 2024

Hi,

I'm using .NET 8.0 and encountering an issue with setting the default authentication scheme. Despite specifying JwtBearerDefaults.AuthenticationScheme as the default, it doesn't seem to be recognized in my controllers.

Authentication Configuration:

Here's how I've set up authentication in my Program.cs:

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddCookie()
    .AddJwtBearer(options =>
    {
        options.Authority = configuration["Jwt:Authority"];
        options.RequireHttpsMetadata = configuration["Jwt:RequireHttpsMetadata"] == "true";
    });

Controller Setup:

In my controller, I'm using the [Authorize] attribute without specifying any scheme:

[ApiController]
[Route("api/[controller]")]
[Authorize]
public class MyController : ControllerBase
{
    // Controller actions
}

Issue:

With the above setup, authentication doesn't work as expected. The [Authorize] attribute does not utilize the default scheme specified (JwtBearerDefaults.AuthenticationScheme). As a result, JWT authentication fails, and authorized endpoints are not accessible.

Workaround:

To make it work, I have to explicitly specify the authentication scheme in the [Authorize] attribute:

[ApiController]
[Route("api/[controller]")]
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
public class MyController : ControllerBase
{
    // Controller actions
}

Expected Behavior:

By setting the default authentication scheme using AddAuthentication(JwtBearerDefaults.AuthenticationScheme), I expect the [Authorize] attribute to automatically use this scheme without needing to specify it explicitly in every controller or action.

Actual Behavior:

The default authentication scheme is ignored unless explicitly specified in the [Authorize] attribute.

Questions:

  • Is this the expected behavior in .NET 8.0 when multiple authentication schemes are registered?

  • How can I configure the default authentication scheme to be used by [Authorize] without specifying it each time, while still supporting multiple schemes?

Environment:

  • .NET 8.0
  • ASP.NET Core Web API
  • Microsoft.AspNetCore.Authentication.JwtBearer: 8.0.10

Any guidance on resolving this issue or clarification on whether this is intended behavior would be greatly appreciated.

Thank you!

Metadata

Metadata

Assignees

No one assigned

    Labels

    Needs: Author FeedbackThe author of this issue needs to respond in order for us to continue investigating this issue.Needs: ReproIndicates that the team needs a repro project to continue the investigation on this issuearea-security

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions