locked
.NET Core Multiple Authentication Schemes with OAuth RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    User205042623 posted

    I am writing an ASP.NET Core Web App which has 2 authentication schemes. One is a simple cookie based scheme, the other uses OAuth. The OAuth authentication scheme is only used to log onto a government web site and make api calls. The app has a database and when I save records I want to save the CreatedBy and ModifiedBy using the username from the Cookie authentication scheme.

    When I log in using the Cookie authentication, the User.Identity and User.Identities are set as expected with the identity of the cookie authentication. However if I then access a page which requires authentication by the OAuth authentication scheme, then I can no longer get the username from the cookie based authentication. It doesn't appear in User.Identity or User.Identities.

    Authentication is set up as follows:

               services.AddAuthentication(options =>
        {
            options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = "OAuthTest";
        })
        .AddCookie()
         .AddOAuth("OAuthTest", options =>
         {
             options.ClientId = Configuration["HMRC:ClientId"];
             options.ClientSecret = Configuration["HMRC:ClientSecret"];
             options.CallbackPath = new PathString("/account/auth-redirect");

             options.AuthorizationEndpoint = "https://test-api.service.hmrc.gov.uk/oauth/authorize";
             options.TokenEndpoint = "https://test-api.service.hmrc.gov.uk/oauth/token";
             options.Scope.Add("read:vat");

             options.SaveTokens = true;

             options.Events = new OAuthEvents
             {
                 OnCreatingTicket = async context =>
                 {
                     var claims = new List<Claim>
                     {
                                                new Claim(ClaimTypes.NameIdentifier, Guid.NewGuid().ToString())
                     };
                     var identity = new ClaimsIdentity(claims, "OAuthTest", ClaimTypes.NameIdentifier, null);

                     context.Principal.AddIdentity(identity);
                 }
             };
         });

    I have added this Authorize attribute to a page which requires the cookie base authentication:

    [Authorize(AuthenticationSchemes = CookieAuthenticationDefaults.AuthenticationScheme)]

    and this Authorize attribute to the page which requires OAuth authentication:

    [Authorize(AuthenticationSchemes = "OAuthTest")]

    I have pushed a cut down version of the application to github. This just has 2 pages one authorised by each authentication scheme. The SignIn button automatically logs into the Cookie Authentication scheme. Both pages display the data contained in User.Identity and User.Identities.

    https://github.com/rick1c/multiple-auth-scheme/tree/master/MultipleAuthSchemes

    Thursday, May 28, 2020 9:04 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    User283571144 posted

    Hi rick1c,

    As far as I know, if the user  access a page which requires authentication by the OAuth authentication scheme, it will set the user claim from oauth not cookie auth scheme. This is the reason why you couldn't get the username from the cookie based authentication. They has been reset.  

    Best Regards,

    Brando

    Friday, May 29, 2020 7:22 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User205042623 posted

    Hi Brando

    Thanks for the response.

    I just assumed that the Identities collection would contain all of the logged in Identities.  If you subsequently access a page that requires the cookie authentication, the Identity and Identities remains with the OAuth authentication.

    I need to come up with another way of storing the user name from the cookie authentication.

    Surely this is not unusual.  I also want to display the logged in user name on the page, but at the moment it is lost.

    Anybody any ideas on best practice?

    Regards

    Richard

    Saturday, May 30, 2020 8:42 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User283571144 posted

    Hi rick1c,

    In my opinion, you could use cookie to store oauth user name and cookie auth user name. Then you could get the last logon in cookie auth username or oauth username.

    Best Regards,

    Brando

    Monday, June 1, 2020 7:12 AM