[Bug] 'Scheme already exists: Bearer' when trying to setup both AAD and AAD B2C auth #429
Comments
|
@AzureAD/azure-ad-app-content-authors You added twice the same authentication scheme. You'd need to use a different name for the services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftWebApi(this.Configuration, "AzureAd")
.AddMicrosoftWebApi(this.Configuration, "AzureAdB2C", "jwtBearerScheme2")BTW, the default one will be "Bearer" (JwtBearerDefaults.AuthenticationScheme). |
|
@jmprieur Got it, that makes sense! I am seeing a new error now: |
|
One thought that just occurred to me is if it's even possible to support passing different EDIT: This documentation section suggests it should be possible, but unclear how to set it up using Microsoft Identity Web. |
|
The IDX10501 was thrown when the issuer signing key was found but didn't match the token. I think all the keys were retrieved from IDP but the wrong one is used to validate the token. @GeoK @mafurman @brentschmaltz If necessary, you can use an overload of .AddMicrosoftWebApi(
jwtBearerOptions =>
{
Configuration.Bind("AzureAd", jwtBearerOptions);
jwtBearerOptions.TokenValidationParameters.IssuerSigningKeyValidator = ;// custom code
},
microsoftIdentityOptions =>
{
Configuration.Bind("AzureAd", microsoftIdentityOptions);
}) |
|
Strangely enough I get a different error when I switch the order of services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftWebApi(this.Configuration, "AzureAdB2C")
.AddMicrosoftWebApi(this.Configuration, "AzureAd", "jwtBearerScheme2")It appears that the Instance configuration is overridden with the second call to appsettings.json: {
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "mytenant.onmicrosoft.com",
"ClientId": "<UUID>",
"TenantId": "<UUID>"
},
"AzureAdB2C": {
"Instance": "https://mytenant.b2clogin.com",
"Domain": "mytenant.onmicrosoft.com",
"ClientId": "<UUID>",
"SignUpSignInPolicyId": "B2C_1_SignIn"
}
} |
|
The doco @pheuter refers to (Use multiple authentication schemes) uses 2 stage process: Step 1: Step 2:
When using |
|
@tymtam2 The second stage is separate from the first in the same way Authorization is separate from Authentication in ASP.NET. The problems I'm describing all occur in the first stage when attempting to authenticate Bearer tokens created by two different issuers: AAD and AAD B2C. You can see in your first code snippet that the docs show how to specify two different authorities. The issue I'm seeing with this library is that |
|
@pheuter: do you have repro steps so that we can debug? a repro project? |
|
@jmprieur I just created this repo: https://github.com/pheuter/IdentityWebRepro You'll need to fill in your own AAD and AAD B2C configuration in appsettings.json. Once you do, you'll notice that when you try to hit the authorized EDIT: Specifically, this error I shared above: |
|
I wonder if it's related to this section of code within the
Which seems to apply a configuration to the services. Executing Looking at the services collection shows only one MicrosoftIdentityOptions configuration. |
|
Thanks everyone for your investigations. @timClyburn, you're right. When we call @Tratcher, I tried using the |
|
It seems like you're set up for a single But then at the consumption point you also need to resolve it by name. |
|
@Tratcher @pmaytak can someone point me in the right direction for completing the contributor licence agreement? I have followed the link and can have the sample pdf. I can't see where or how to submit anything? I have a code change completed and passes the tests for changing this to use IOptionsMonitor and named options but I need to sign the agreement before I can contribute. |
|
@timClyburn I'm not exactly sure but I think if you just try to submit a pull request, the CLA bot will post a link where to sign the CLA. |
jmprieur
added
enhancement
|
@pmaytak : is there more work to do on this one? |
|
@jmprieur Just testing a solution and will write a wiki article. |
|
fixed by customer @timClyburn |
|
Thanks everybody |
|
Included in 0.4.0-preview release |
|
I'm using the version 1.5.1 and there is still a problem with a custom Bearer scheme for a single AzureAD authentication middleware . Here is a repro project: https://github.com/lnaie/azuread-poc. For now I'm using a single AzureAd auth middleware in the API project, but the goal is to get to use 2 of them, as many pointed out here, one with the default Bearer scheme (that works) and one with a custom scheme (that I can't get it to work even with a single middleware). |
|
Included in 1.11.0 release and documentation here. |
Which version of Microsoft Identity Web are you using?
0.2.3-preview
Where is the issue?
I'm trying to make my ASP.NET Core Web API compatible with both AAD tokens issued on behalf of applications as well as AAD B2C tokens issued on behalf of users, but run into errors when trying to configure both entries in my appsettings.json file. If I only initialize
AddMicrosoftWebApionce, then I get issues verifying JWT signature when the token is generated using the identity provider that was left out.Is this a new or an existing app?
c. This is a new app
Repro
Expected behavior
ASP.NET Core app is setup to validate tokens issued from both identity providers.
Actual behavior
Error during startup:
InvalidOperationException: 'Scheme already exists: Bearer'The text was updated successfully, but these errors were encountered: