.NET CORE 2.2 Identity + Basic Auth for WebAPI

Question

I am developing a software which contains User-Interfaces and APIs. For the authentication and authorization i have used .NET CORE Identity 2.2!

I works very well. Now i have API functions which have two different requirements: 1. API Endpoint which is used by User-Interfaces (AJAX calls and so on...) 2. API Endpoint which could be used by other Software

Therefore i would like to use two different Authorize-Methods. For point 1 i use the .NET CORE Identity authorization and authentication. And for point 2 i would like to use BASIC AUTH

How could i configure these different Authorize-Methods. Here is a sample code:

BASIC AUTH CODE

1. Try to add Service-Support for BasuicAuth in ConfigureServices services.AddAuthentication("BasicAuth").AddScheme<AuthenticationSchemeOptions, BasicAuthHandler>("BasicAuth", null);

2. Build Basic Auth Handler

   public class BasicAuthHandler : AuthenticationHandler<AuthenticationSchemeOptions> { IConfiguration _configuration; /// <summary> /// Constructor /// </summary> /// <param name="options"></param> /// <param name="logger"></param> /// <param name="encoder"></param> /// <param name="clock"></param> /// <param name="configuration"></param> public BasicAuthHandler(IOptionsMonitor<AuthenticationSchemeOptions> options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock, IConfiguration configuration) : base(options, logger, encoder, clock) { _configuration = configuration; } /// <summary> /// Handels the Authentication by using Basic Auth /// --> Checks the configured values by /// </summary> /// <returns></returns> protected override async Task<AuthenticateResult> HandleAuthenticateAsync() { if (!Request.Headers.ContainsKey("Authorization")) { return AuthenticateResult.Fail("Missing Authorization Header"); } try { var authHeader = AuthenticationHeaderValue.Parse(Request.Headers["Authorization"]); var credentialsByes = Convert.FromBase64String(authHeader.Parameter); var credentials = Encoding.UTF8.GetString(credentialsByes).Split(':'); var configuredUserName = _configuration["BasicAuth:Username"]; var configuredPassword = _configuration["BasicAuth:Password"]; if (configuredUserName.Equals(credentials[0]) & configuredPassword.Equals(credentials[1])) { var claims = new[] { new Claim(ClaimTypes.Name, credentials[0]) }; var identity = new ClaimsIdentity(claims, Scheme.Name); var principal = new ClaimsPrincipal(identity); var ticket = new AuthenticationTicket(principal, Scheme.Name); return AuthenticateResult.Success(ticket); } else { return AuthenticateResult.Fail("Invalid Credentials"); } } catch { return AuthenticateResult.Fail("Invalid Authorization Header"); } } }

3. Try to add Authentication Basic-Auth to Controller

    [ApiController] [ApiVersion("1.0", Deprecated = false)] [Produces("application/json")] [Route("api/v{version:apiVersion}/[controller]")] [Authorize] public class MasterDataController : ControllerBase {...}

   The Authorize Annotation is using every-time the .NET CORE Identity Authorize

ANOTHER CASE IS TO USE AUTHORIZE BY .NET CORE IDENTITY FOR UI-APIs

[ApiController]
[ApiVersion("1.0", Deprecated = false)]
[Produces("application/json")]
[Route("api/v{version:apiVersion}/[controller]")]
[Authorize(Roles = "SuperUser,PlantAdministrator,EndUser")]
public class UploadController : ControllerBase
{...}

This works very well - but i would like to use a combination...

Answer 1

I found a solution. You could do it by add parameters to the Authorize annotation like the following:

[ApiController]
[ApiVersion("1.0", Deprecated = false)]
[Produces("application/json")]
[Route("api/v{version:apiVersion}/[controller]")]
[Authorize(ActiveAuthenticationSchemes = "BasicAuth")]
public class MasterDataController : ControllerBase
{...}

If you set the ActiveAuthenticationSchemes to Basic Auth it looks for a compatible AuthenticationHandler!