.NET Core Multiple Authentication Schemes with OAuth RRS feed

  • Question

  • User205042623 posted

    I am writing an ASP.NET Core Web App which has 2 authentication schemes. One is a simple cookie based scheme, the other uses OAuth. The OAuth authentication scheme is only used to log onto a government web site and make api calls. The app has a database and when I save records I want to save the CreatedBy and ModifiedBy using the username from the Cookie authentication scheme.

    When I log in using the Cookie authentication, the User.Identity and User.Identities are set as expected with the identity of the cookie authentication. However if I then access a page which requires authentication by the OAuth authentication scheme, then I can no longer get the username from the cookie based authentication. It doesn't appear in User.Identity or User.Identities.

    Authentication is set up as follows:

               services.AddAuthentication(options =>
                options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = "OAuthTest";
             .AddOAuth("OAuthTest", options =>
                 options.ClientId = Configuration["HMRC:ClientId"];
                 options.ClientSecret = Configuration["HMRC:ClientSecret"];
                 options.CallbackPath = new PathString("/account/auth-redirect");
                 options.AuthorizationEndpoint = "https://test-api.service.hmrc.gov.uk/oauth/authorize";
                 options.TokenEndpoint = "https://test-api.service.hmrc.gov.uk/oauth/token";
                 options.SaveTokens = true;
                 options.Events = new OAuthEvents
                     OnCreatingTicket = async context =>
                         var claims = new List<Claim>
                                                    new Claim(ClaimTypes.NameIdentifier, Guid.NewGuid().ToString())
                         var identity = new ClaimsIdentity(claims, "OAuthTest", ClaimTypes.NameIdentifier, null);

    I have added this Authorize attribute to a page which requires the cookie base authentication:

    [Authorize(AuthenticationSchemes = CookieAuthenticationDefaults.AuthenticationScheme)]

    and this Authorize attribute to the page which requires OAuth authentication:

    [Authorize(AuthenticationSchemes = "OAuthTest")]

    I have pushed a cut down version of the application to github. This just has 2 pages one authorised by each authentication scheme. The SignIn button automatically logs into the Cookie Authentication scheme. Both pages display the data contained in User.Identity and User.Identities.


    Thursday, May 28, 2020 9:04 AM

All replies

  • User283571144 posted

    Hi rick1c,

    As far as I know, if the user  access a page which requires authentication by the OAuth authentication scheme, it will set the user claim from oauth not cookie auth scheme. This is the reason why you couldn't get the username from the cookie based authentication. They has been reset.  

    Best Regards,


    Friday, May 29, 2020 7:22 AM
  • User205042623 posted

    Hi Brando

    Thanks for the response.

    I just assumed that the Identities collection would contain all of the logged in Identities.  If you subsequently access a page that requires the cookie authentication, the Identity and Identities remains with the OAuth authentication.

    I need to come up with another way of storing the user name from the cookie authentication.

    Surely this is not unusual.  I also want to display the logged in user name on the page, but at the moment it is lost.

    Anybody any ideas on best practice?



    Saturday, May 30, 2020 8:42 AM
  • User283571144 posted

    Hi rick1c,

    In my opinion, you could use cookie to store oauth user name and cookie auth user name. Then you could get the last logon in cookie auth username or oauth username.

    Best Regards,


    Monday, June 1, 2020 7:12 AM