AspNetCore.Docs/aspnetcore/security/authorization/limitingidentitybyscheme.md

152 lines
5.8 KiB
Markdown
Raw Normal View History

2016-10-29 01:35:15 +08:00
---
2017-10-13 04:14:00 +08:00
title: Authorize with a specific scheme - ASP.NET Core
2016-10-29 01:35:15 +08:00
author: rick-anderson
2017-10-13 04:14:00 +08:00
description: This article explains how to limit identity to a specific scheme when working with multiple authentication methods.
2016-10-29 01:35:15 +08:00
ms.author: riande
manager: wpickett
2017-10-13 04:14:00 +08:00
ms.date: 10/12/2017
2016-10-29 01:35:15 +08:00
ms.topic: article
2016-11-17 08:24:57 +08:00
ms.technology: aspnet
ms.prod: asp.net-core
2016-10-29 01:35:15 +08:00
uid: security/authorization/limitingidentitybyscheme
---
2017-10-13 04:14:00 +08:00
# Authorize with a specific scheme
2016-10-29 01:35:15 +08:00
2017-10-13 04:14:00 +08:00
In some scenarios, such as Single Page Applications (SPAs), it's common to use multiple authentication methods. For example, the app may use cookie-based authentication to log in and JWT bearer authentication for JavaScript requests. In some cases, the app may have multiple instances of an authentication handler. For example, two cookie handlers where one contains a basic identity and one is created when a multi-factor authentication (MFA) has been triggered. MFA may be triggered because the user requested an operation that requires extra security.
2016-10-29 01:35:15 +08:00
# [ASP.NET Core 2.x](#tab/aspnetcore2x)
2016-10-29 01:35:15 +08:00
2017-10-12 02:37:31 +08:00
An authentication scheme is named when the authentication service is configured during authentication. For example:
2016-11-18 13:03:07 +08:00
```csharp
public void ConfigureServices(IServiceCollection services)
2016-10-29 01:35:15 +08:00
{
// Code omitted for brevity
2017-10-12 04:13:20 +08:00
services.AddAuthentication()
.AddCookie(options => {
options.LoginPath = "/Account/Unauthorized/";
options.AccessDeniedPath = "/Account/Forbidden/";
2017-10-11 03:47:05 +08:00
})
2017-10-12 04:13:20 +08:00
.AddJwtBearer(options => {
options.Audience = "http://localhost:5001/";
options.Authority = "http://localhost:5000/";
});
```
2017-10-13 04:14:00 +08:00
In the preceding code, two authentication handlers have been added: one for cookies and one for bearer.
>[!NOTE]
2017-10-13 04:14:00 +08:00
>Specifying the default scheme results in the `HttpContext.User` property being set to that identity. If that behavior isn't desired, disable it by invoking the parameterless form of `AddAuthentication`.
# [ASP.NET Core 1.x](#tab/aspnetcore1x)
2016-10-29 01:35:15 +08:00
2017-10-12 02:37:31 +08:00
Authentication schemes are named when authentication middlewares are configured during authentication. For example:
2017-10-12 02:48:28 +08:00
```csharp
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
// Code omitted for brevity
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
2017-10-12 02:48:28 +08:00
AuthenticationScheme = "Cookie",
LoginPath = "/Account/Unauthorized/",
AccessDeniedPath = "/Account/Forbidden/",
AutomaticAuthenticate = false
});
2017-10-12 02:48:28 +08:00
app.UseJwtBearerAuthentication(new JwtBearerOptions()
{
AuthenticationScheme = "Bearer",
2017-10-12 04:13:20 +08:00
AutomaticAuthenticate = false,
Audience = "http://localhost:5001/",
2017-10-13 04:14:00 +08:00
Authority = "http://localhost:5000/",
RequireHttpsMetadata = false
2017-10-12 02:48:28 +08:00
});
```
2016-10-29 01:35:15 +08:00
In the preceding code, two authentication middlewares have been added: one for cookies and one for bearer.
2016-10-29 01:35:15 +08:00
>[!NOTE]
2017-10-13 04:14:00 +08:00
>Specifying the default scheme results in the `HttpContext.User` property being set to that identity. If that behavior isn't desired, disable it by setting the `AuthenticationOptions.AutomaticAuthenticate` property to `false`.
---
2016-10-29 01:35:15 +08:00
## Selecting the scheme with the Authorize attribute
2017-10-13 04:14:00 +08:00
At the point of authorization, the app indicates the handler to be used. Select the handler with which the app will authorize by passing a comma-delimited list of authentication schemes to `[Authorize]`. The `[Authorize]` attribute specifies the authentication scheme or schemes to use regardless of whether a default is configured. For example:
# [ASP.NET Core 2.x](#tab/aspnetcore2x)
```csharp
[Authorize(AuthenticationSchemes = AuthSchemes)]
public class MixedController : Controller
// Requires the following imports:
// using Microsoft.AspNetCore.Authentication.Cookies;
// using Microsoft.AspNetCore.Authentication.JwtBearer;
private const string AuthSchemes =
CookieAuthenticationDefaults.AuthenticationScheme + "," +
JwtBearerDefaults.AuthenticationScheme;
```
# [ASP.NET Core 1.x](#tab/aspnetcore1x)
2016-10-29 01:35:15 +08:00
2016-11-18 13:03:07 +08:00
```csharp
[Authorize(ActiveAuthenticationSchemes = AuthSchemes)]
2016-10-29 01:35:15 +08:00
public class MixedController : Controller
// Requires the following imports:
// using Microsoft.AspNetCore.Authentication.Cookies;
// using Microsoft.AspNetCore.Authentication.JwtBearer;
private const string AuthSchemes =
CookieAuthenticationDefaults.AuthenticationScheme + "," +
JwtBearerDefaults.AuthenticationScheme;
2016-11-18 13:03:07 +08:00
```
2016-10-29 01:35:15 +08:00
---
2017-10-13 04:14:00 +08:00
In the preceding example, both the cookie and bearer handlers run and have a chance to create and append an identity for the current user. By specifying a single scheme only, the corresponding handler runs.
# [ASP.NET Core 2.x](#tab/aspnetcore2x)
```csharp
[Authorize(AuthenticationSchemes =
JwtBearerDefaults.AuthenticationScheme)]
2017-10-12 02:37:31 +08:00
public class MixedController : Controller
```
# [ASP.NET Core 1.x](#tab/aspnetcore1x)
2016-10-29 01:35:15 +08:00
2016-11-18 13:03:07 +08:00
```csharp
[Authorize(ActiveAuthenticationSchemes =
JwtBearerDefaults.AuthenticationScheme)]
2017-10-12 02:37:31 +08:00
public class MixedController : Controller
2016-11-18 13:03:07 +08:00
```
2016-10-29 01:35:15 +08:00
---
2017-10-13 04:14:00 +08:00
In the preceding code, only the handler with the "Bearer" scheme runs. Any cookie-based identities are ignored.
2016-10-29 01:35:15 +08:00
## Selecting the scheme with policies
If you prefer to specify the desired schemes in [policy](xref:security/authorization/policies), you can set the `AuthenticationSchemes` collection when adding your policy:
2016-10-29 01:35:15 +08:00
2016-11-18 13:03:07 +08:00
```csharp
services.AddAuthorization(options =>
2016-10-29 01:35:15 +08:00
{
options.AddPolicy("Over18", policy =>
{
policy.AuthenticationSchemes.Add(JwtBearerDefaults.AuthenticationScheme);
policy.RequireAuthenticatedUser();
2017-10-13 04:14:00 +08:00
policy.Requirements.Add(new MinimumAgeRequirement());
});
2016-10-29 01:35:15 +08:00
});
2016-11-18 13:03:07 +08:00
```
2016-10-29 01:35:15 +08:00
2017-10-13 04:14:00 +08:00
In the preceding example, the "Over18" policy only runs against the identity created by the "Bearer" handler. Use the policy by setting the `[Authorize]` attribute's `Policy` property:
```csharp
[Authorize(Policy = "Over18")]
public class RegistrationController : Controller
```