[Feature Request] Support authentication scheme in all scenarios

[jmprieur]

Which version of Microsoft Identity Web are you using?
4.16.0

Repro

Customers need to be able to implement apps which sign-in users with AAD and B2C, or which are web apps and web APIs. Today, the authentication scheme are supposed to help for this, but they are not taken into account everywhere.

See:

• [Documentation] Explain how to sign-in users in a Web App with multiple IdPs (Azure AD, Azure ADB2C, and OAuth 2.0 providers) #173
• Sample documentation on how to authenticate with Azure AD AND Azure B2C in one application .net core 3.x #549
• [Bug] 'Scheme already exists: Bearer' when trying to setup both AAD and AAD B2C auth #429
• Single middleware with custom Bearer scheme makes the API request to fail with 401 #958
• Add multiple AAD authentication options using AddMicrosoftIdentityWebAppAuthentication not possible #971
• [Bug] ValidateIssuer does not work on WebApp and WebApi mix #1126
• [Bug] Redirected to AccessDenied page after successful login #1127
• https://developercommunity2.visualstudio.com/t/I-would-like-to-set-the-AddMicrosoftIden/1339302

This issue might be related:

• [Bug] Single signout invoked from B2C does not reset cookies of MVC apps #1164

Expected behavior
A fully functional sample of an AAD + B2C web app which also contains web APIS.

Actual behavior
See the referenced issues for repro steps

Possible solution
See investigation in branch https://github.com/AzureAD/microsoft-identity-web/tree/jmprieur/multipleSchemeInvestigation

[jennyf19]

@jmprieur we need to test the confidential client options, i had issues w/the unit tests and had to add Instance and clientSecret. just adding this as a reminder.

[jennyf19]

TODO:

• Create a wiki page
  • Write up UI sign-out
• We know PostConfigure() doesn't work
• Check that the regular scenarios still work
• Run a -preview build
• Override the auth scheme for the GraphServiceClient? (see [comment below] ([Feature Request] Support authentication scheme in all scenarios #955 (comment))) doesn't seem to be an issue

[jmprieur]

For Microsoft Graph, I wonder if we need to add a method so that controller actions which are called for a specific auth scheme can pass it, in to the Graph SDK, like we do here to override the scopes

microsoft-identity-web/tests/WebAppCallsMicrosoftGraph/Pages/AllUsers.cshtml.cs

Line 30 in b93c676

.WithScopes("User.Read.All")

or the app-only characteristics:

microsoft-identity-web/tests/WebAppCallsMicrosoftGraph/Pages/AllApps.cshtml.cs

Line 32 in b93c676

.WithAppOnly()

BaseRequestExtensions.WithAuthenticationScheme<T>(this T baseRequest, string authenticationScheme)

This would have an impact in the Microsoft.Identity.Web.MicrosoftGraph assembly on:

• TokenAcquisitionAuthenticationProviderOption (new AuthenticationScheme property)
• TokenAcquisitionAuthenticationProvider adding an authenticationScheme member, and passing it through to the token acquisition methods (which now have it as a parameter)

[jennyf19]

Included in 1.11.0 release and documentation here.