Can you combine multiple authentication schemes? Cookie & Bearer

[ystvan]

Given a Blazor Server App (netcore 3.1) that is protected by the Microsoft Identity Platform utilising Azure AD with a single tenant.

I wish to expose an ApiController listening to HTTP calls so that daemon apps can consume some functionality of the Blazor Server App. HTTP requests would have an Authorization header along with a JWT Bearer token.

My question is: can Blazor serve both consumers? Not only humans with a browser but daemon apps as well? Utilising the Authentication/Authorization functionality provided by the Microsoft.Identity.Web library?

1. Added an Microsoft.AspNetCore.Mvc Controller decorated with [Authorize(AuthenticationSchemes = OpenIdConnectDefaults.AuthenticationScheme)] [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)] attribute

Startup.cs has the regular registrations, such as:

services
.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(configuration);

services
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(configuration);

var multiSchemePolicy = new AuthorizationPolicyBuilder( CookieAuthenticationDefaults.AuthenticationScheme, JwtBearerDefaults.AuthenticationScheme, OpenIdConnectDefaults.AuthenticationScheme) .RequireAuthenticatedUser() .Build();

        services.AddAuthorization(options =>
        {
            options.DefaultPolicy = multiSchemePolicy;
        });

Then it breaks the Microsoft.Identity.Web's functionality (the cookie is not set, user not signed in, after successful login and the redirect from Azure AD the front end gives HTTP ERROR 401)

Many thanks in advance!

[ystvan]

Found out, yes you can combine, but then have to explicitly say which one is the default :)

        // Add authentication with Microsoft identity platform.
        services
            .AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
            .AddMicrosoftIdentityWebApp(configuration)
            .AddDistributedTokenCaches();

        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddMicrosoftIdentityWebApi(configuration);

        // Have to add the default explicitly since we are using multiple schemas
        services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = OpenIdConnectDefaults.AuthenticationScheme;
            options.DefaultSignInScheme = OpenIdConnectDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
        });

[jmprieur]

In the code above, you've set the default twice:
.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)

and then

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)

The last wins,

If you don't want to set the default, just write
services.AddAuthentication()