search

IdentityModel / IdentityModel.AspNetCore.OAuth2Introspection

ASP.NET Core authentication handler for OAuth 2.0 token introspection
Apache License 2.0
147 stars 66 forks source link

Validating tokens against multiple /introspect endpoints #145

Closed DigitalFlow closed 3 years ago

DigitalFlow commented 3 years ago

Hi there,

thanks for providing this library, it's working great for us.

In a recent project however, our web app is supposed to accept jwt from multiple identity providers, all of which should be validated via introspection.

Just issuing multiple calls to AddOAuth2Introspection does not seem to work, as we get the error message An unhandled exception of type 'System.InvalidOperationException' occurred in System.Private.CoreLib.dll: 'Scheme already exists: Bearer' 

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddOAuth2Introspection(options =>
                {
                    options.Authority = "auth1";
                    options.ClientId = "clientid1";

                    options.SkipTokensWithDots = false;
                    options.SaveToken = true;
                })
                .AddOAuth2Introspection(options =>
                {
                    options.Authority = "auth2";
                    options.ClientId = "clientid2";

                    options.SkipTokensWithDots = false;
                    options.SaveToken = true;
                })

How would you go about implementing multiple introspection endpoints?

Kind regards, Florian

DigitalFlow commented 3 years ago

Solved it myself.

Needs to look like this:

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddOAuth2Introspection(options =>
                {
                    options.Authority = "auth1";
                    options.ClientId = "clientid1";

                    options.SkipTokensWithDots = false;
                    options.SaveToken = true;
                })
                .AddOAuth2Introspection(options =>
                {
                    options.Authority = "auth2";
                    options.ClientId = "clientid2";

                    options.SkipTokensWithDots = false;
                    options.SaveToken = true;
                });

services.AddAuthorization(options =>
                {
                    options.DefaultPolicy = new AuthorizationPolicyBuilder()
                        .RequireAuthenticatedUser()
                        .AddAuthenticationSchemes("auth1", "auth2")
                        .Build();
                });

Beware that all Authorize attributes on the controllers should be edited to not be [Authorize("Bearer")] but just [Authorize()].

github-actions[bot] commented 3 years ago

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue.