Single middleware with custom Bearer scheme makes the API request to fail with 401

[lnaie]

For my work, I'm trying to use this library to setup the second authorisation middleware towards AzureAD. The first one is on Identity Server 4. Both of them uses the Bearer authentication scheme.

So I've found this library and have tried to integrate it without success.
Then I decided to make a simple project to study the library behaviour, because well documentation is not there for special cases or if it is is quite vague.
I have a repro project with one AzureAD middleware at https://github.com/lnaie/azuread-poc that fails to use a custom Bearer scheme, but it works nicely with the default "Bearer".

I have assumed if it will work with a single custom bearer scheme, then there is a chance that it'll work in any other number and scheme combination.

I'm using the version 1.5.1 in the API project.
Better logging would be great. Now it's not telling why it failed inside the auth/authz middleware with 401.

This works:

            services.AddMicrosoftIdentityWebApiAuthentication(
                    Configuration,
                    configSectionName: "AzureAd",
                    jwtBearerScheme: "Bearer",
                    subscribeToJwtBearerMiddlewareDiagnosticsEvents: true
                );

But this won't work:

            services.AddMicrosoftIdentityWebApiAuthentication(
                    Configuration,
                    configSectionName: "AzureAd",
                    jwtBearerScheme: "AzureADBearer",
                    subscribeToJwtBearerMiddlewareDiagnosticsEvents: true
                );

Is it supposed to work with just one middleware for a custom Bearer scheme?

[jmprieur]

@lnaie : you might want to try

 services.AddAuthentication("AzureADBearer")
             .AddMicrosoftIdentityWebApi(
                    Configuration,
                    configSectionName: "AzureAd",
                    jwtBearerScheme: "AzureADBearer",
                    subscribeToJwtBearerMiddlewareDiagnosticsEvents: true
                );

We have a bug in custom schemes: #955, you might want to try out this branch: https://github.com/AzureAD/microsoft-identity-web/tree/jmprieur/multipleSchemeInvestigation, but mind you this is work in progress

[lnaie]

Ok.
Now that you've mentioned it's work in progress, does it make sense to support a scenario like this?

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    // protect public api with IdentityServer 4/5 or AzureB2C 
    .AddJwtBearer(options =>
    {
        options.Audience = "https://localhost:5000/";
        options.Authority = "https://localhost:5000/identity/";
    })
    // protect management api with AzureAD
    .AddMicrosoftIdentityWebApiAuthentication(
        Configuration,
        configSectionName: "AzureAd",
        jwtBearerScheme: "AzureADBearer"
    );

Because right now it won't work.

[jmprieur]

@lnaie : yes, I think this should be possible.
Did you try with the branch I mentionned?

[lnaie]

I will have a look tomorrow. Thanks

[lnaie]

I have tried and it doesn't work.
I've set breakpoints in JwtBearerMiddlewareDiagnostics.cs. First OnMessageReceivedAsync() gets hit, then it ends up inOnChallengeAsync().
Is Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler involved into this?

There seems to be this issues as well for 3.1.8+ : dotnet/aspnetcore#26002

[lnaie]

I have created a POC for 2 auth middlewares (IDS and AzureAD):
https://github.com/lnaie/azuread-poc/tree/multiple-auth-middlewares

[jennyf19]

Included in 1.11.0 release and documentation here.