9

I have Web API developed using ASP.NET Core and I need to be able to use both Basic and Bearer authentication schemes for the same service. For some reason it does not work: it always considers the call as a bearer one. Here's my code:

This are the attributes I have in the controller:

[Authorize(ActiveAuthenticationSchemes = "Basic,Bearer")]
[ResponseCache(NoStore = true, Duration = 0, VaryByHeader = "Authorization")]

This is my startup.cs:

this part is for basic auth:

   app.UseBasicAuthentication(new BasicAuthenticationOptions
        {
            AutomaticAuthenticate = false,
            AutomaticChallenge = false,
            Realm = "test",
            Events = new BasicAuthenticationEvents
            {
                OnValidateCredentials = context =>
                {
                    if (svc.IsValidCredential(context.Username, context.Password))
                    {
                        var claims = new[]
                        {
                        new Claim(ClaimTypes.NameIdentifier, context.Username),
                        new Claim(ClaimTypes.Name, context.Username)
                        };

                        context.Ticket = new AuthenticationTicket(
                            new ClaimsPrincipal(
                                new ClaimsIdentity(claims, context.Options.AuthenticationScheme)),
                            new AuthenticationProperties(),
                            context.Options.AuthenticationScheme);
                    }

                    return Task.FromResult<object>(null);
                }
            }
        });

And this piece of code for Bearer authentication:

    app.UseAPIKeyAuthentication(new BearerApiKeyOptions
        {
            AuthenticationScheme = BearerApiKeySchema,
            AutomaticAuthenticate = false  
        });
Improve this question
1
  • No reply so far. Nobody knows how to use multiple authentication? Commented May 8, 2017 at 7:51

1 Answer 1

Reset to default
5

You may look at this for some reference from official Microsoft GitHub.

My use-case is slightly different, I need a combination of Cookie and Windows Authentication. You will need to use the PolicyBuilder to enforce the 'require authentication' part.

On ConfigureServices method:

            // add additional authorisation for cookie
            services.AddAuthorization(options =>
            {
                options.AddPolicy("CookiePolicy", policy =>
                {
                    policy.AddAuthenticationSchemes("NTLM", "MyCookie"); // order does matter. The last scheme specified here WILL become the default Identity when accessed from User.Identity
                    policy.RequireAuthenticatedUser();
                });
            });

On Configure method:

            app.UseCookieAuthentication(new CookieAuthenticationOptions()
            {
                AuthenticationScheme = "MyCookie",
                LoginPath = new PathString("/Account/Login/"),
                AccessDeniedPath = new PathString("/Account/AccessDenied/"),
                AutomaticAuthenticate = false, // this will be handled by the authorisation policy
                AutomaticChallenge = false // this will be handled by the authorisation policy
            });

On Controller:

        [Authorize("CookiePolicy")] // will check policy with the required authentication scheme (cookie in this case)
        public IActionResult AuthorisedPageCookie()
        {
            return View();
        }
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.