Open olejsc opened 1 month ago
Some things i've tried:
.RequireAuthorization (config=> config.addPolicySchemes(Multischeme)
for the app. I've found that this creates other issues..This seems to be releated to the part of the issue described here at first glance:
Essentually, whatever is default will make any 2nd scheme not work.
I managed to find a workaround by using this in program.cs
:
app.MapRazorComponents<App>()
.RequireAuthorization(new AuthorizeAttribute() { AuthenticationSchemes = "externalScheme" })
.RequireAuthorization(new AuthorizeAttribute() { AuthenticationSchemes = ""internalScheme"" })
.AllowAnonymous()
.AddInteractiveServerRenderMode();
and in serviceregistration for authentication:
services.AddAuthentication(opts =>
{
opts.DefaultChallengeScheme = "undefined"; < -- This scheme doesn't actually exist.
opts.DefaultScheme = "default"; < -- This scheme doesn't actually exist.
})
// internal & external scheme registered as defined, we dont register "multischeme"
This is nowhere near what the documentation for multiple schemes state. I'm not even sure this is a good approach on how to do it, or if it has any serious drawbacks. Auth handlers seems to fire for every blazor request now (blazor.web.js for example), but since we have allowanonymous it passes.
Let's use this issue to track updating the docs to clarify the behavior in this area.
In .NET 10, we could consider making the experience better by throwing a descriptive error message for this case.
@MackinnonBuck What exsactly would that error message be ? Isn't multiple auth schemes intended to be supported ?
it turns out this part isn't nescesarry:
services.AddAuthentication(opts =>
{
opts.DefaultChallengeScheme = "undefined"; < -- This scheme doesn't actually exist.
opts.DefaultScheme = "default"; < -- This scheme doesn't actually exist.
})
You can just get away with adding empty authenticaiton configuration + the internal/external scheme and their respective cookies.
services.AddAuthentication()
.AddOpenIdConnect("external"...)
.AddCookie("externalcookie"...)
.AddOpenIdConnect("internal"...)
.AddCookie("internalCookie"...)
Is there an existing issue for this?
Describe the bug
The application I work with utilizes two seperate authentication schemes:
Regarding routing, this is the general structure:
...RequireClaim(ctx=> ctx.FindFirst(InternalUserIdClaimType) is not null)
[AllowAnonymous]
.I've followed the instructions here for configuring multiple policy schemes: https://learn.microsoft.com/en-us/aspnet/core/security/authentication/policyschemes?view=aspnetcore-8.0
My configuration looks something like this:
Configuration
Authentication:
Authorization:
In summary, I have one combined scheme ("Multischeme") that wraps around "InternalScheme" and "Externalscheme", which both respectively connects to "InternalCookieScheme" and "ExternalCookieScheme".
Endpoints
In addition, i have 2 controller endpoints for each specific scheme:
/auth/internal/signout
Main configuration (program.cs):
Controllers are added
Routes.Razor:
Has AuthorizeRouteView
App.Razor:
As long as "ExternalScheme" is the default scheme, I can sign in / sign-out with the external OIDC provider and authorize just fine with it. However, I cant authorize with internal user. I manage to sign in with it, Cookie gets set with values, but under
...context.User.Identittes
there is no user with those claims available in authorization.Appreciate any help with this. I'm stomped! 😣
Expected Behavior
The claims from both schemes should be available when signing in. Authhandlers should be able to find the claims for both signed in schemes when executing authorization handlers & requirements. Only the default identity provided from the default scheme seems to be available when dooing authorization (both in authorizationhandlers, but also in controllers!)
Steps To Reproduce
Unfortunately i'm not at liberty to expose the external providers provided. I hope the code i've provided will be sufficient to reproduce the issue.
Exceptions (if any)
None.
.NET Version
8.0.303
Anything else?
Another person on stackover flow seems to have a similar issue (unresolved). He only used a single oidc, but seemed to want another cookie. https://stackoverflow.com/questions/78533634/asp-net-core-blazor-multiple-authentication-schemes-oidc-custom-cookies
dotnet info output: