Bearer Token by custom field in Header

Question

My endpoint uses a token to authorize the execution but the header "Authorization" field is used for the gateway token. I'd like to set a different header key to pass and read the token in my endpoints and avoid conflicts.

This is my controller code:

        [HttpPost]
        [ApiVersion("1.0")]
        [ProducesResponseType(typeof(ErrorMessageDto), 500)]
        [Authorize(AuthenticationSchemes = "Bearer")]
        [ProducesResponseType(typeof(NavMenuItemReturnDto), 201)]
        public IActionResult CreateNavMenuItem(NavMenuItemUpdateCreateDto newNavMenuItem)
        {
            try
            {
                return StatusCode(201, _navMenuItemsBL.CreateNewNavMenuItem(newNavMenuItem).Result);
            }
            catch (Exception ex)
            {
                return StatusCode(500, new ErrorMessageDto { Error = ex.Message });
            }
        }

This is my startup code:

 services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer("Bearer", options =>
                {
                    options.Authority = Configuration.GetSection("JwtAuthority").Get<string>();

                    options.TokenValidationParameters = new TokenValidationParameters
                    {
                        ValidateIssuerSigningKey = false,
                        ValidateAudience = false,
                        RequireExpirationTime = false,
                        ValidateLifetime = false,
                        ValidateIssuer = false,
                    };
                });

Any suggestions? Thanks for the help

Answer 1

Could you achieve what you are after with adding Multiple Authentication Schemas?

An Example is below:

    services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        .AddJwtBearer(options =>
        {
            options.Audience = "https://localhost:5000/";
            options.Authority = "https://localhost:5000/identity/";
        })
        .AddJwtBearer("AzureAD", options =>
        {
            options.Audience = "https://localhost:5000/";
            options.Authority = "https://login.microsoftonline.com/eb971100-6f99-4bdc-8611-1bc8edd7f436/";
        });
}

Only one JWT bearer authentication is registered with the default authentication scheme JwtBearerDefaults.AuthenticationScheme. Additional authentication has to be registered with a unique authentication scheme.

The next step is to update the default authorization policy to accept both authentication schemes. For example:

        services.AddAuthorization(options =>
        {
            var defaultAuthorizationPolicyBuilder = new AuthorizationPolicyBuilder(
                JwtBearerDefaults.AuthenticationScheme,
                "AzureAD");
            defaultAuthorizationPolicyBuilder = 
                defaultAuthorizationPolicyBuilder.RequireAuthenticatedUser();
            options.DefaultPolicy = defaultAuthorizationPolicyBuilder.Build();
        });

As the default authorization policy is overridden, it's possible to use the [Authorize] attribute in controllers. The controller then accepts requests with JWT issued by the first or second issuer.

Now you have the default, and AzureAD