Using multiple authentication providers in C# .net core

Question

We had .net core API already authenticating with AzureAd and then a new requirement came to authenticate the same API using Auth0 as well while keeping existing users access with AzureAd. without any selection of the authentication schema API should be able to authentication using Authorize token in HTTP header token can be either Auth0 or AzureAD.

I found several helpful articles managed to build my solution using them, I thought it better to write the final solution in one place so it might help others who come across the same requirement.

The Following applies in Startup.cs (in ConfigureServices method)

Adding multiple authentication schemes

We need to have one JWT bearer authentication registered as the default authentication scheme. Second one registered with a unique name.

{
    services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        .AddJwtBearer(options =>
        {
            options.Audience = "dgdf7g6967-97fdgd";
            options.Authority = "https://login.microsoftonline.com/myazure.abc.com";
        })
        .AddJwtBearer("Auth0", options =>
        {
            options.Audience = "myweb.abc.com";
            options.Authority = "https://my.auth0.com";
        });
}

Then we need to update the default authorization policy to accept both authentication schemes.

services.AddAuthorization(options =>
            {
                var defaultAuthorizationPolicyBuilder = new AuthorizationPolicyBuilder(
                    JwtBearerDefaults.AuthenticationScheme, "Auth0");
                defaultAuthorizationPolicyBuilder =
                defaultAuthorizationPolicyBuilder.RequireAuthenticatedUser();
                options.DefaultPolicy = defaultAuthorizationPolicyBuilder.Build();
            });

Once that's done you need to AddIdentities for both schemas. I've created separate middleware to handle this

MultipleSchemaAuthenticationMiddleware.cs

public async Task InvokeAsync(HttpContext context)
        {
            var principal = new ClaimsPrincipal();

            var resultAzureAD = await context.AuthenticateAsync();
            if (resultAzureAD?.Principal != null)
            {
                principal.AddIdentities(resultAzureAD.Principal.Identities);
            }
           
            var resultAuth0 = await context.AuthenticateAsync(AppHelper.Settings.Auth0.SchemaName);
            if (resultAuth0?.Principal != null)
            {
                principal.AddIdentities(resultAuth0.Principal.Identities);
            }

            context.User = principal;

            await _next(context);
        }

and register the middleware in Startup.cs (in Configure method)

app.UseMiddleware<MultipleSchemaAuthenticationMiddleware>();

Answer 1

In my opinion you don't need MultipleSchemaAuthenticationMiddleware. When you use AuthorizeAttribute on a controller/endpoint, behind the scenes, inside the AuthorizationMiddleware implementation, we can find logic that merges the user principal for every schema which we are authenticated (it is run inside PolicyEvaluator) and assign it to the `Users property.

I tested it on .NET 6 and it worked without custom middleware.

AuthorizationMiddleware implementation: https://github.com/dotnet/aspnetcore/blob/main/src/Security/Authorization/Policy/src/AuthorizationMiddleware.cs

PolicyEvaluator implementation: https://github.com/dotnet/aspnetcore/blob/main/src/Security/Authorization/Policy/src/PolicyEvaluator.cs

SecurityHelper implementation: https://github.com/dotnet/aspnetcore/blob/main/src/Shared/SecurityHelper/SecurityHelper.cs

As we can see in AuthorizationMiddleware at line 74 there is AuthenticateAsync execution on PolicyEvaluator. Next inside PolicyEvaluator we iterate for each schema defined in policy and execute AuthenticateAsync on our HttpContext. As a result with help of SecurityHelper.MergeUserPrincipal method our user will be filled with Identities without MultipleSchemaAuthenticationMiddleware.