Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to use multiple authentication schemes? #405

Open
juselius opened this issue Mar 28, 2020 · 7 comments
Open

How to use multiple authentication schemes? #405

juselius opened this issue Mar 28, 2020 · 7 comments
Labels
feature request Request to add new functionality help wanted Community contribution or any kind of help much appreciated PR approved A PR for this issue will get accepted (as long as inline with the comms) question General question

Comments

@juselius
Copy link

I need two different authentication schemes in one application. Some users are logged in via Kerberos using Negotiate, and some are authenticated using CookieAuthentication. If I set AuthenticationOptions.DefaultScheme <- "Negotiate", CookieAuthentication stops working (explicitly calling challenge "Cookies") and vice versa.

In C# there is an attribute [Authorize(AuthenticationSchemes ="Cookies")] which supposedly does the trick. I'm guessing the Giraffe equivalent should be requireAuthentication (challenge "Cookies"), without having looked at the C# code.

@dustinmoris
Copy link
Member

Hi, quick question what do you want to happen when a user is not authentiated? Should your application challenge them to present a cookie or to log in via Kerberos? Or is it dependent which route they have tried to access?

@juselius
Copy link
Author

juselius commented Apr 6, 2020

Depending on the route (intranet or external), the application will either ask the user sign in, if they don't have a valid cookie or JWT, or automagically sign them in using a Kerberos negotiate challenge.

@dustinmoris
Copy link
Member

In this case you have two options how to accomplish it:

  • The classic ASP.NET Core way would be to create a new MultiAuthMiddleware where you can call multiple authentication handlers and try to authenticate a user based on different schemes.
  • In the classic Giraffe way it would be identitcal to the middleware approach but you could have a MultiAuthHttpHandler instead of middleware and apply the same logic there. This would give you ultimately more flexibility as you could pick and choose to which routes to apply the handler and which not.

Either way, you'll have to write a fairly simply logic yourself where you check an incoming HTTP request to have one of your accepted authentication methods and then validate that scheme accordingly.

@dustinmoris dustinmoris added the question General question label Apr 12, 2020
@baronfel
Copy link
Contributor

@juselius you can look at #394 for an example of enforcing multiple auth methods if you need some inspiration.

@juselius
Copy link
Author

juselius commented Apr 12, 2020

Thanks! I already had a look at #394. I think the gist can serve as a good starting point for a custom middleware. But it would be nice to get #394 into the mainline Giraffe. If I find the time, and can give it a shot.

@dustinmoris dustinmoris added feature request Request to add new functionality help wanted Community contribution or any kind of help much appreciated PR approved A PR for this issue will get accepted (as long as inline with the comms) labels Apr 12, 2020
@dustinmoris
Copy link
Member

Agreed I think that would be a pretty common use case to want to support multiple auth schemes.

@bsheldrick
Copy link

Further to this it would be nice to support using AuthenticationProperties to the common authentication functions e.g. challenge, forbid, signIn, signOut.

Example for challenge:

let challengeWithProps scheme props : HttpHandler =
    fun next ctx ->
        task {
            do! ctx.ChallengeAsync(scheme, props)
            return! next ctx
        }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature request Request to add new functionality help wanted Community contribution or any kind of help much appreciated PR approved A PR for this issue will get accepted (as long as inline with the comms) question General question
Projects
None yet
Development

No branches or pull requests

4 participants