Merge pull request #4531 from aspnet/scottaddie/limiting-identity-2.0

2.0 update of Limiting identity by scheme doc
pull/4553/head
Scott Addie 2017-10-12 15:41:46 -05:00 committed by GitHub
commit 1cbd792135
2 changed files with 96 additions and 31 deletions

View File

@ -71,7 +71,7 @@ The code snippets above configure some or all of the following options:
* `AccessDeniedPath` - This is the relative path to which requests redirect when a user attempts to access a resource but does not pass any [authorization policies](xref:security/authorization/policies#security-authorization-policies-based) for that resource.
* `AuthenticationScheme` - This is a value by which a particular cookie authentication scheme is known. This is useful when there are multiple instances of cookie authentication and you want to [limit authorization to one instance](xref:security/authorization/limitingidentitybyscheme#security-authorization-limiting-by-scheme).
* `AuthenticationScheme` - This is a value by which a particular cookie authentication scheme is known. This is useful when there are multiple instances of cookie authentication and the app needs to [limit authorization to one instance](xref:security/authorization/limitingidentitybyscheme).
* `AutomaticAuthenticate` - This flag is relevant only for ASP.NET Core 1.x. It indicates that the cookie authentication should run on every request and attempt to validate and reconstruct any serialized principal it created.

View File

@ -1,74 +1,139 @@
---
title: Limiting identity by scheme
title: Authorize with a specific scheme - ASP.NET Core
author: rick-anderson
description:
keywords: ASP.NET Core,
description: This article explains how to limit identity to a specific scheme when working with multiple authentication methods.
keywords: ASP.NET Core,identity,authentication scheme
ms.author: riande
manager: wpickett
ms.date: 10/14/2016
ms.date: 10/12/2017
ms.topic: article
ms.assetid: d3d6ca1b-b4b5-4bf7-898e-dcd90ec1bf8c
ms.technology: aspnet
ms.prod: asp.net-core
uid: security/authorization/limitingidentitybyscheme
---
# Limiting identity by scheme
# Authorize with a specific scheme
<a name=security-authorization-limiting-by-scheme></a>
In some scenarios, such as Single Page Applications (SPAs), it's common to use multiple authentication methods. For example, the app may use cookie-based authentication to log in and JWT bearer authentication for JavaScript requests. In some cases, the app may have multiple instances of an authentication handler. For example, two cookie handlers where one contains a basic identity and one is created when a multi-factor authentication (MFA) has been triggered. MFA may be triggered because the user requested an operation that requires extra security.
In some scenarios, such as Single Page Applications it is possible to end up with multiple authentication methods. For example, your application may use cookie-based authentication to log in and bearer authentication for JavaScript requests. In some cases you may have multiple instances of an authentication middleware. For example, two cookie middlewares where one contains a basic identity and one is created when a multi-factor authentication has triggered because the user requested an operation that requires extra security.
# [ASP.NET Core 2.x](#tab/aspnetcore2x)
Authentication schemes are named when authentication middleware is configured during authentication, for example
An authentication scheme is named when the authentication service is configured during authentication. For example:
```csharp
app.UseCookieAuthentication(new CookieAuthenticationOptions()
public void ConfigureServices(IServiceCollection services)
{
AuthenticationScheme = "Cookie",
LoginPath = new PathString("/Account/Unauthorized/"),
AccessDeniedPath = new PathString("/Account/Forbidden/"),
AutomaticAuthenticate = false
});
// Code omitted for brevity
app.UseBearerAuthentication(options =>
{
options.AuthenticationScheme = "Bearer";
options.AutomaticAuthenticate = false;
});
services.AddAuthentication()
.AddCookie(options => {
options.LoginPath = "/Account/Unauthorized/";
options.AccessDeniedPath = "/Account/Forbidden/";
})
.AddJwtBearer(options => {
options.Audience = "http://localhost:5001/";
options.Authority = "http://localhost:5000/";
});
```
In this configuration two authentication middlewares have been added, one for cookies and one for bearer.
In the preceding code, two authentication handlers have been added: one for cookies and one for bearer.
>[!NOTE]
>When adding multiple authentication middleware you should ensure that no middleware is configured to run automatically. You do this by setting the `AutomaticAuthenticate` options property to false. If you fail to do this filtering by scheme will not work.
>Specifying the default scheme results in the `HttpContext.User` property being set to that identity. If that behavior isn't desired, disable it by invoking the parameterless form of `AddAuthentication`.
# [ASP.NET Core 1.x](#tab/aspnetcore1x)
Authentication schemes are named when authentication middlewares are configured during authentication. For example:
```csharp
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
// Code omitted for brevity
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AuthenticationScheme = "Cookie",
LoginPath = "/Account/Unauthorized/",
AccessDeniedPath = "/Account/Forbidden/",
AutomaticAuthenticate = false
});
app.UseJwtBearerAuthentication(new JwtBearerOptions()
{
AuthenticationScheme = "Bearer",
AutomaticAuthenticate = false,
Audience = "http://localhost:5001/",
Authority = "http://localhost:5000/",
RequireHttpsMetadata = false
});
```
In the preceding code, two authentication middlewares have been added: one for cookies and one for bearer.
>[!NOTE]
>Specifying the default scheme results in the `HttpContext.User` property being set to that identity. If that behavior isn't desired, disable it by setting the `AuthenticationOptions.AutomaticAuthenticate` property to `false`.
---
## Selecting the scheme with the Authorize attribute
As no authentication middleware is configured to automatically run and create an identity you must, at the point of authorization choose which middleware will be used. The simplest way to select the middleware you wish to authorize with is to use the `ActiveAuthenticationSchemes` property. This property accepts a comma delimited list of Authentication Schemes to use. For example;
At the point of authorization, the app indicates the handler to be used. Select the handler with which the app will authorize by passing a comma-delimited list of authentication schemes to `[Authorize]`. The `[Authorize]` attribute specifies the authentication scheme or schemes to use regardless of whether a default is configured. For example:
# [ASP.NET Core 2.x](#tab/aspnetcore2x)
```csharp
[Authorize(AuthenticationSchemes = "Cookie,Bearer")]
public class MixedController : Controller
```
# [ASP.NET Core 1.x](#tab/aspnetcore1x)
```csharp
[Authorize(ActiveAuthenticationSchemes = "Cookie,Bearer")]
public class MixedController : Controller
```
In the example above both the cookie and bearer middlewares will run and have a chance to create and append an identity for the current user. By specifying a single scheme only the specified middleware will run;
---
In the preceding example, both the cookie and bearer handlers run and have a chance to create and append an identity for the current user. By specifying a single scheme only, the corresponding handler runs.
# [ASP.NET Core 2.x](#tab/aspnetcore2x)
```csharp
[Authorize(AuthenticationSchemes = "Bearer")]
public class MixedController : Controller
```
# [ASP.NET Core 1.x](#tab/aspnetcore1x)
```csharp
[Authorize(ActiveAuthenticationSchemes = "Bearer")]
public class MixedController : Controller
```
In this case only the middleware with the Bearer scheme would run, and any cookie based identities would be ignored.
---
In the preceding code, only the handler with the "Bearer" scheme runs. Any cookie-based identities are ignored.
## Selecting the scheme with policies
If you prefer to specify the desired schemes in [policy](policies.md#security-authorization-policies-based) you can set the `AuthenticationSchemes` collection when adding your policy.
If you prefer to specify the desired schemes in [policy](xref:security/authorization/policies#security-authorization-policies-based), you can set the `AuthenticationSchemes` collection when adding your policy:
```csharp
options.AddPolicy("Over18", policy =>
services.AddAuthorization(options =>
{
policy.AuthenticationSchemes.Add("Bearer");
policy.RequireAuthenticatedUser();
policy.Requirements.Add(new Over18Requirement());
options.AddPolicy("Over18", policy =>
{
policy.AuthenticationSchemes.Add("Bearer");
policy.RequireAuthenticatedUser();
policy.Requirements.Add(new MinimumAgeRequirement());
});
});
```
In this example the Over18 policy will only run against the identity created by the `Bearer` middleware.
In the preceding example, the "Over18" policy only runs against the identity created by the "Bearer" handler. Use the policy by setting the `[Authorize]` attribute's `Policy` property:
```csharp
[Authorize(Policy = "Over18")]
public class RegistrationController : Controller
```