CODEWITHSUNDEEP
jwtasp.net-core-2.0
Mathias
Mathias

Reputation: 1980

How to allow multiple JWT with different issuers in asp.net core 2.0

Is there a way to handle JWTs from multiple issuers in single asp.net core 2.0 application?

Here how I'm currently checking tokens:

public void ConfigureServices(IServiceCollection services)
{
    TokenValidationParameters tokenValidationParameters = new TokenValidationParameters
    {
        // ...

        ValidateIssuer = true,
        ValidIssuer = options.Issuer, // <-- could this be a list of issuers?

        // ...
    };

    services.AddAuthentication()
        .AddJwtBearer(jwtOptions =>
        {
            jwtOptions.TokenValidationParameters = tokenValidationParameters;
        });

    services.AddAuthorization(authOptions =>
        {
            authOptions.DefaultPolicy = new AuthorizationPolicyBuilder(JwtBearerDefaults.AuthenticationScheme).RequireAuthenticatedUser().Build();
        });
}

public void Configure(IApplicationBuilder app)
{   
    // ...
    app.UseAuthentication();
}

The reason why I want to handle multiple issuers is because I need to handle different user types with different kind of permissions. To allow specific users only on some services in a microservice architecture environment I would like to issue tokens for each user type with a different issuer.

Upvotes: 14

Views: 15583

Answers (2)

Abdul Rehman Gill
Abdul Rehman Gill

Reputation: 49

I found this link to be extremely useful.

https://learn.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme?view=aspnetcore-6.0#use-multiple-authentication-schemes

    // Authentication
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        .AddJwtBearer(options =>
        {
            options.Audience = "https://localhost:5000/";
            options.Authority = "https://localhost:5000/identity/";
        })
        .AddJwtBearer("AzureAD", options =>
        {
            options.Audience = "https://localhost:5000/";
            options.Authority = "https://login.microsoftonline.com/eb971100-7f436/";
        });

// Authorization
builder.Services.AddAuthorization(options =>
{
    var defaultAuthorizationPolicyBuilder = new AuthorizationPolicyBuilder(
        JwtBearerDefaults.AuthenticationScheme,
        "AzureAD");
    defaultAuthorizationPolicyBuilder =
        defaultAuthorizationPolicyBuilder.RequireAuthenticatedUser();
    options.DefaultPolicy = defaultAuthorizationPolicyBuilder.Build();
});

Upvotes: 2

Jarod C
Jarod C

Reputation: 306

The simple answer would be to set the ValidIssuers property of the TokenValidationParameters instance instead of the ValidIssuer property. The ValidIssuers property takes an IEnumerable, so you can fill a list of issuer names and assign it to that property (or just inline the list).

var issuers = new List<string>()
    {
        "issuerA",
        "issuerB"
    };
// ...
TokenValidationParameters tokenValidationParameters = new TokenValidationParameters
{
    // ...

    ValidateIssuer = true,
    ValidIssuers = issuers

    // ...
};

Caveat: This assumes that each issuer shares the same secret (or list of secrets, if you use the corresponding IssuerSigningKeys property instead of the IssuerSigningKey property).

Upvotes: 19

Related Questions