0

Upgrading Scott Wildermuth's World Trip app to ASP.NET Core 2.0. The code below is not working.

Since I am using two authentication types and I would like both to work on the api controllers, I decided to use an Authorization policy.

public void ConfigureServices(IServiceCollection services) { //Some code here services.AddAuthentication() .AddCookie() .AddJwtBearer(/*Implementation is fine*/); services.AddAuthorization(options => { options.AddPolicy("Authenticated", policy => { policy.AddAuthenticationSchemes( CookieAuthenticationDefaults.AuthenticationScheme, JwtBearerDefaults.AuthenticationScheme) .RequireAuthenticatedUser(); }); }); }

Now in my controllers,

namespace TheWorld.Controllers.Api { [Route("api/trips")] [Authorize(policy: "Authenticated")] public class TripsController : controller { // Implementation is fine } }

Requests coming from client (web) with cookie authentication is never seen as authenticated while requests from Jwt authenticated clients work as expected.

It only works with cookie authentication if I use the simple [Authorize] on the controller, in which asp.net core just chooses the default cookie authentication and never accepts requests from Jwt Clients.

Improve this question

1 Answer 1

Reset to default
2 
policy.AddAuthenticationSchemes(scheme1, scheme2)

This means that in order for the policy authentication to be successful, both specified authentication schemes must succeed.

Your two authentication schemes are likely set up so that when the JWT authentication succeeds, it would automatically succeed the cookie authentication (to set the cookie in that case, so on further requests the JWT token is no longer necessary but the cookie is enough). So when the JWT authentication is successful, the cookie authentication is also successful. However, the reverse is not true: If you’re only using the cookie to establish the authentication, then the JWT token may not be there at all.

If you do not care about which authentication scheme provided the authentication, you should just remove the AddAuthenticationSchemes call. By saying policy.RequireAuthenticatedUser() you are basically saying that there needs to be some authentication scheme that successfully authenticated the user.

This is btw. the exact same behavior, the default policy (with just [Authorize]) has.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks @poke. I already tried what you mentioned and what happened in that case was that CookieAuthentication was chosen as default and JwtBearer was never used. Thanks.
Thanks @poke. I finally found out that the problem was from AspNetCore.Identity. The default AuthenticationScheme that came with it used the scheme name "Identity.Application". So, the application worked after I changed CookieAuthenticationDefaults.AuthenticationScheme to "Identity.Application" with or without a call to .AddCookie on the services.AddAuthentication.
Thanks @MubarakImam , it got worked for me for both Schemes. [Authorize(AuthenticationSchemes = "Identity.Application" + "," + JwtBearerDefaults.AuthenticationScheme)]

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.