I am developing an AspNetCore 2 app that has web views alongside an API (prefixed with /api) and i am trying to have the web views be authenticated using OpenIdConnect + cookies, while the /api prefixed routes be authenticated with JWT tokens (for mobile app compatibility).
So far i've managed to register and configure the cookies, OpenIdConnect and JWT middlewares using this code:
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie()
.AddOpenIdConnect(options => {
var optionsSetup = new OpenIdConnectOptionsSetup(b2cOptions);
optionsSetup.Configure(options);
});
services.AddAuthentication()
.AddJwtBearer(options => {
var optionsSetup = new JWTBearerOptionsSetup(b2cOptions);
optionsSetup.Configure(options);
});
Along with this line on the Configure method:
app.UseAuthentication();
OpenIdConnectOptionsSetup is taken from (with slight modifications) the aspnetcore AD B2C sample repositories.
JWTBearerOptionsSetup is a refactor from the aspnetcore AD B2C sample repo to extract the JWT configuration code into an external class.
Right now AJAX calls to an /api endpoint are being met with an OpenId redirect to our AD's login policy endpoint, so the Cookie/OpenIdConnect middleware are handling those. I need a way to make /api go straight into the JWTBearer middleware instead.
Is this possible? Must i separate the web and the API projects?