Asp.NET 4.7.2 Multiple Owin Auth Providers

Question

Is it possible to use two OpenIdConnect providers in the same application? I need to have logins for two distinct groups, the first being employees who have valid Azure AD accounts, and the second customers, who do not have Azure AD accounts. I know the endpoints to use, and have worked on applications that contain this functionality using .NET Core but I am unable to successfully implement this in .NET 4.7.2

In my start.auth.cs file I have been trying to add the providers like this

app.UseOpenIdConnectAuthentication(CustomerOptions());
app.UseOpenIdConnectAuthentication(EmployeeOptions());

    private static OpenIdConnectAuthenticationOptions EmployeeOptions() =>
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = ClientId,
                Authority = authority,
                RedirectUri = RedirectUri,
                ClientSecret = ClientSecret,
                PostLogoutRedirectUri = RedirectUri,
                Scope = OpenIdConnectScope.OpenIdProfile,
                // ResponseType is set to request the id_token - which contains basic information about the signed-in user
                ResponseType = OpenIdConnectResponseType.CodeIdToken,
                // ValidateIssuer set to false to allow personal and work accounts from any organization to sign in to your application
                // To only allow users from a single organizations, set ValidateIssuer to true and 'tenant' setting in web.config to the tenant name
                // To allow users from only a list of specific organizations, set ValidateIssuer to true and use ValidIssuers parameter
                TokenValidationParameters = new TokenValidationParameters()
                {
                    ValidateIssuer = false // This is a simplification
                },
                // OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method
                Notifications = new OpenIdConnectAuthenticationNotifications
                {
                    AuthenticationFailed = OnAuthenticationFailed,
                    SecurityTokenValidated = OnAdSecurityTokenValidated
                }
            };

Where the...Options methods have the OpenIdConnectAuthenticationOptions specific to each endpoint. If I use just one of the methods I can authenticate into the application, but when I try adding both the authentication will only use the client added last.

The code that calls the methods is: 1. calls the Azure AD provider

            HttpContext.GetOwinContext().Authentication.Challenge(
                new AuthenticationProperties { RedirectUri = "/" },
                OpenIdConnectAuthenticationDefaults.AuthenticationType);

2. calls the customer provider

    var properties = new AuthenticationProperties { RedirectUri = "/" }; var scheme = "schemeName"; HttpContext.GetOwinContext().Authentication.Challenge(properties, scheme);

How do I get the appropriate authentication provider called?

Thanks

Answer 1

You need to set different scheme for each authentication middleware via OpenIdConnectAuthenticationOptions.AuthenticationType property and pass the scheme you want to authenticate in Challenge(...) method.

Answer 2

I had neglected to set the authentication type parameter when I was newing up the OpenIdConnectAuthenticationOptions, so I was overwritting the default settings when I added the second authentication provider.

app.UseOpenIdConnectAuthentication(CustomerOptions());
app.UseOpenIdConnectAuthentication(EmployeeOptions());

private static OpenIdConnectAuthenticationOptions EmployeeOptions() =>
        new OpenIdConnectAuthenticationOptions("employeeAuthenticationType")
        {
            ClientId = ClientId,
            Authority = authority,
            RedirectUri = RedirectUri,
            ClientSecret = ClientSecret,
            PostLogoutRedirectUri = RedirectUri,
            Scope = OpenIdConnectScope.OpenIdProfile,
            // ResponseType is set to request the id_token - which contains basic information about the signed-in user
            ResponseType = OpenIdConnectResponseType.CodeIdToken,
            // ValidateIssuer set to false to allow personal and work accounts from any organization to sign in to your application
            // To only allow users from a single organizations, set ValidateIssuer to true and 'tenant' setting in web.config to the tenant name
            // To allow users from only a list of specific organizations, set ValidateIssuer to true and use ValidIssuers parameter
            TokenValidationParameters = new TokenValidationParameters()
            {
                ValidateIssuer = false // This is a simplification
            },
            // OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                AuthenticationFailed = OnAuthenticationFailed,
                SecurityTokenValidated = OnAdSecurityTokenValidated
            }
        };