IdentityServer authentication is the current method which needs to stay supported.
Now a new Jwt bearer token needs to be supported (validation through secret key)
It seems possible to have the two token styles active at the same time.
But I am unsure of when authentication checks run, and if both always run. Does the order matter? What happens if one of them fails?
During debugging of new token, the first block identity server authentication was commented out.
appBuilder.UseIdentityServerBearerTokenAuthentication(new
IdentityServerBearerTokenAuthenticationOptions
{
Authority = ...,
RequiredScopes = ...,
ValidationMode = ValidationMode.Both,
AutomaticRefreshInterval = ...,
ValidationResultCacheDuration = ...,
RequireHttps = ...
});
appBuilder.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
//AuthenticationType = DefaultAuthenticationTypes.ExternalBearer, // ???
AuthenticationMode = AuthenticationMode.Passive, // what is best???
AllowedAudiences = new[] { audience },
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
ValidateAudience = false,
ValidateIssuerSigningKey = true,
IssuerSigningKey = new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(secret),
//ValidAudience = audience,
//ValidIssuer = issuer
}
});
Current obstacle is we look for a ClaimsPrincipal, so can someone suggest where to create and add the ClaimsPrincipal?
For information:
Our Authorization check is implemented with AuthorizationFilterAttribute, see below code.
we only see a default WindowsPrincipal containing 1 WindowsIdentities of Anonymous kind
public override Task OnAuthorizationAsync(HttpActionContext actionContext, CancellationToken cancellationToken)
{
if (!(actionContext.RequestContext.Principal is ClaimsPrincipal principal) || !principal.Identity.IsAuthenticated)
{
// we exit here with an Unauthorized since above principal is not a of type ClaimsPrincipal
}
return Task.FromResult(true);
}