0

I'm working on an ASP.NET Core project that has a website as well as an API. I need the API to be secured by some means, so I implemented JWT authentication. This worked as expected, and the API is only accessible by calls made with a valid token.

The problem is, the built-in login functionality on the website no longer works. This is the code I added to Startup.cs:

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(o =>
    {
        o.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidateLifetime = true,
            ValidateIssuerSigningKey = true,
            ValidIssuer = Configuration["Jwt:Issuer"],
            ValidAudience = Configuration["Jwt:Issuer"],
            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Jwt:Key"]))
        };
    });

If I remove this code, the built-in login feature works as usual, but the API no longer works.

Is there a way I can make the JWT authentication only apply to the API controllers? Or is there a way I can make the built-in authentication use JWT?

Improve this question

1 Answer 1

Reset to default
2

I had the same problem and resolved it (using Asp.Net Core 3.0).
You can add more than one Authentication schema to your project with code like this.

// Read the token generation data...
var token = Configuration.GetSection("JwtTokenData").Get<JwtTokenData>();

services.AddAuthentication()
        .AddCookie(options =>
        {
            options.LoginPath = $"/Identity/Account/Login";
            options.AccessDeniedPath = $"/Identity/Account/AccessDenied";
        })
        .AddJwtBearer(options => {
            options.SaveToken = true;
            options.TokenValidationParameters = new TokenValidationParameters
            {
                ValidateIssuerSigningKey = true,
                IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(token.Secret)),
                ValidIssuer = token.Issuer,
                ValidAudience = token.Audience,
                ValidateIssuer = false,
                ValidateAudience = false
            };
        });

Notice how I haven't specified the default authentication schema when I call AddAuthentication. This allows the built-in Authentication to be the default for your pages or controller where you use the [Authorize] attribute.

But when you need to use JWT Authentication then you use this option on the Authorize attribute for your Web API controller or methods

[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

You can also just use [Authorize(AuthenticationSchemes = "Bearer"] attribute, it`s shorter.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.