0

Is it possible to use two OpenIdConnect providers in the same application? I need to have logins for two distinct groups, the first being employees who have valid Azure AD accounts, and the second customers, who do not have Azure AD accounts. I know the endpoints to use, and have worked on applications that contain this functionality using .NET Core but I am unable to successfully implement this in .NET 4.7.2

In my start.auth.cs file I have been trying to add the providers like this

app.UseOpenIdConnectAuthentication(CustomerOptions()); app.UseOpenIdConnectAuthentication(EmployeeOptions()); private static OpenIdConnectAuthenticationOptions EmployeeOptions() => new OpenIdConnectAuthenticationOptions { ClientId = ClientId, Authority = authority, RedirectUri = RedirectUri, ClientSecret = ClientSecret, PostLogoutRedirectUri = RedirectUri, Scope = OpenIdConnectScope.OpenIdProfile, // ResponseType is set to request the id_token - which contains basic information about the signed-in user ResponseType = OpenIdConnectResponseType.CodeIdToken, // ValidateIssuer set to false to allow personal and work accounts from any organization to sign in to your application // To only allow users from a single organizations, set ValidateIssuer to true and 'tenant' setting in web.config to the tenant name // To allow users from only a list of specific organizations, set ValidateIssuer to true and use ValidIssuers parameter TokenValidationParameters = new TokenValidationParameters() { ValidateIssuer = false // This is a simplification }, // OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method Notifications = new OpenIdConnectAuthenticationNotifications { AuthenticationFailed = OnAuthenticationFailed, SecurityTokenValidated = OnAdSecurityTokenValidated } };

Where the ...Options methods have the OpenIdConnectAuthenticationOptions specific to each endpoint. If I use just one of the methods I can authenticate into the application, but when I try adding both the authentication will only use the client added last.

The code that calls the methods is: 1. calls the Azure AD provider

 HttpContext.GetOwinContext().Authentication.Challenge( new AuthenticationProperties { RedirectUri = "/" }, OpenIdConnectAuthenticationDefaults.AuthenticationType);

  1. calls the customer provider

     var properties = new AuthenticationProperties { RedirectUri = "/" }; var scheme = "schemeName"; HttpContext.GetOwinContext().Authentication.Challenge(properties, scheme);

How do I get the appropriate authentication provider called?

Thanks

Improve this question
2
  • 1
    Have you set OpenIdConnectAuthenticationOptions.AuthenticationType? Commented Apr 20, 2020 at 10:01
  • @Kahbazi - yup, that was it. If you want to add that as an answer I'll mark it answered so you can collect the bounty Commented Apr 20, 2020 at 13:57

2 Answers 2

Reset to default
2
+50

You need to set different scheme for each authentication middleware via OpenIdConnectAuthenticationOptions.AuthenticationType property and pass the scheme you want to authenticate in Challenge(...) method.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I had neglected to set the authentication type parameter when I was newing up the OpenIdConnectAuthenticationOptions, so I was overwritting the default settings when I added the second authentication provider.

app.UseOpenIdConnectAuthentication(CustomerOptions()); app.UseOpenIdConnectAuthentication(EmployeeOptions()); private static OpenIdConnectAuthenticationOptions EmployeeOptions() => new OpenIdConnectAuthenticationOptions("employeeAuthenticationType") { ClientId = ClientId, Authority = authority, RedirectUri = RedirectUri, ClientSecret = ClientSecret, PostLogoutRedirectUri = RedirectUri, Scope = OpenIdConnectScope.OpenIdProfile, // ResponseType is set to request the id_token - which contains basic information about the signed-in user ResponseType = OpenIdConnectResponseType.CodeIdToken, // ValidateIssuer set to false to allow personal and work accounts from any organization to sign in to your application // To only allow users from a single organizations, set ValidateIssuer to true and 'tenant' setting in web.config to the tenant name // To allow users from only a list of specific organizations, set ValidateIssuer to true and use ValidIssuers parameter TokenValidationParameters = new TokenValidationParameters() { ValidateIssuer = false // This is a simplification }, // OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method Notifications = new OpenIdConnectAuthenticationNotifications { AuthenticationFailed = OnAuthenticationFailed, SecurityTokenValidated = OnAdSecurityTokenValidated } };
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.