AspNetCore 2: OpenIdConnect Cookie for web, JWT Bearer for API. Is it possible?

Question

I am developing an AspNetCore 2 app that has web views alongside an API (prefixed with /api) and i am trying to have the web views be authenticated using OpenIdConnect + cookies, while the /api prefixed routes be authenticated with JWT tokens (for mobile app compatibility).

So far i've managed to register and configure the cookies, OpenIdConnect and JWT middlewares using this code:

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
  .AddCookie()
  .AddOpenIdConnect(options => {
    var optionsSetup = new OpenIdConnectOptionsSetup(b2cOptions);
    optionsSetup.Configure(options);
  });

services.AddAuthentication()
  .AddJwtBearer(options => {
    var optionsSetup = new JWTBearerOptionsSetup(b2cOptions);
    optionsSetup.Configure(options);
  });

Along with this line on the Configure method:

app.UseAuthentication();

OpenIdConnectOptionsSetup is taken from (with slight modifications) the aspnetcore AD B2C sample repositories.

JWTBearerOptionsSetup is a refactor from the aspnetcore AD B2C sample repo to extract the JWT configuration code into an external class.

Right now AJAX calls to an /api endpoint are being met with an OpenId redirect to our AD's login policy endpoint, so the Cookie/OpenIdConnect middleware are handling those. I need a way to make /api go straight into the JWTBearer middleware instead.

Is this possible? Must i separate the web and the API projects?

Answer 1

I would recommend that you separate the web and the api into separate services, because otherwise it will be harder to reason about the behavior of the system. Troubleshooting the system will also be easier.

Both the cookie and JWtBearer handler will try to create the ClaimsPrincipal user object in your system, either from the session cookie or from the access-token.

Perhaps this blog post can give you some hints:

• Combining Bearer Token and Cookie Authentication in ASP.NET