JwtBearerHandler does not correctly use Scheme used when adding JwtAuthentication

aspnet / Security

[Archived] Middleware for security and authorization of web apps. Project moved to https://github.com/aspnet/AspNetCore

Apache License 2.0

1.27k stars 599 forks source link

JwtBearerHandler does not correctly use Scheme used when adding JwtAuthentication #1855

Closed quintonn closed 6 years ago

quintonn commented 6 years ago

When adding JwtAuthentication inside Startup.cs class like this: services.AddAuthentication().AddJwtBearer("NewBearer", options => The class JwtBearerHandler does not correctly use the provided scheme to find the token when authenticating an access token.

The code seems to have hard-coded "Bearer". See line 73 of JwtBearerHandler.cs

if (authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase)) { token = authorization.Substring("Bearer ".Length).Trim(); }

I think "Bearer" should be replaced by Scheme

Tratcher commented 6 years ago

No, this behavior is intentional. The "NewBearer" is used as an internal identifier of the authentication handler, this is independent of the header value. You can use JwtBearerEvents.OnMessageReceived and OnChallenge to override the header value.

quintonn commented 6 years ago

Ok, it seems somewhat confusing. What i was trying to achieve when i discovered this was to have 2 separate token endpoints on the same web server instance which use different signing keys. But only the first one is registered and used. Is there a way to achieve something like this?

Tratcher commented 6 years ago

Are they used on different routes/controllers? If so you can specify their auth scheme in the Authorize attribute.