Merge pull request #34310 from damienbod/damienbod/jwt-bearer-authn

Configure JWT bearer authentication in ASP.NET Core

Author: Rick-Anderson

aspnetcore/security/authentication/configure-jwt-bearer-authentication.md

@@ -0,0 +1,27 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace JwtBearer.Controllers;
+
+[Authorize]
+[ApiController]
+[Route("[controller]")]
+public class WeatherForecastController : ControllerBase
+{
+    private static readonly string[] Summaries =
+    [
+        "Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching"
+    ];
+
+    [HttpGet(Name = "GetWeatherForecast")]
+    public IEnumerable<WeatherForecast> Get()
+    {
+        return Enumerable.Range(1, 5).Select(index => new WeatherForecast
+        {
+            Date = DateOnly.FromDateTime(DateTime.Now.AddDays(index)),
+            TemperatureC = Random.Shared.Next(-20, 55),
+            Summary = Summaries[Random.Shared.Next(Summaries.Length)]
+        })
+        .ToArray();
+    }
+}

aspnetcore/security/authentication/configure-jwt-bearer-authentication/sample/JwtBearer/Controllers/WeatherForecastController.cs

@@ -0,0 +1,14 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net9.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="9.0.0" />
+    <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="9.0.0" />
+  </ItemGroup>
+
+</Project>

aspnetcore/security/authentication/configure-jwt-bearer-authentication/sample/JwtBearer/JwtBearer.csproj

@@ -0,0 +1,6 @@
+@JwtBearer_HostAddress = https://localhost:7279
+
+GET {{JwtBearer_HostAddress}}/weatherforecast/
+Accept: application/json
+
+###

aspnetcore/security/authentication/configure-jwt-bearer-authentication/sample/JwtBearer/JwtBearer.http

@@ -0,0 +1,37 @@
+
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+
+namespace JwtBearer;
+
+public class Program
+{
+    public static void Main(string[] args)
+    {
+        var builder = WebApplication.CreateBuilder(args);
+
+        builder.Services.AddControllers();
+        builder.Services.AddOpenApi();
+
+        builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+            .AddJwtBearer(jwtOptions =>
+            {
+                jwtOptions.Authority = "https://{--your-authority--}";
+                jwtOptions.Audience = "https://{--your-audience--}";
+            });
+
+        var app = builder.Build();
+
+        if (app.Environment.IsDevelopment())
+        {
+            app.MapOpenApi();
+        }
+
+        app.UseHttpsRedirection();
+
+        app.UseAuthorization();
+
+        app.MapControllers();
+
+        app.Run();
+    }
+}

aspnetcore/security/authentication/configure-jwt-bearer-authentication/sample/JwtBearer/Program.cs

@@ -0,0 +1,12 @@
+namespace JwtBearer;
+
+public class WeatherForecast
+{
+    public DateOnly Date { get; set; }
+
+    public int TemperatureC { get; set; }
+
+    public int TemperatureF => 32 + (int)(TemperatureC / 0.5556);
+
+    public string? Summary { get; set; }
+}

aspnetcore/security/authentication/configure-jwt-bearer-authentication/sample/JwtBearer/WeatherForecast.cs

@@ -0,0 +1,8 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  }
+}

aspnetcore/security/authentication/configure-jwt-bearer-authentication/sample/JwtBearer/appsettings.Development.json

@@ -0,0 +1,9 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  },
+  "AllowedHosts": "*"
+}

aspnetcore/security/authentication/configure-jwt-bearer-authentication/sample/JwtBearer/appsettings.json

@@ -21,6 +21,66 @@ All authentication schemes that use derived <xref:Microsoft.AspNetCore.Authentic
 
 [!code-csharp[sample](policyschemes/samples/AuthenticationSchemeOptions.cs?name=snippet)]
 
+## JWT with multiple schemes
+
+The AddPolicyScheme method can define multiple authentication schemes and implement logic to select the appropriate scheme based on token properties (e.g., issuer, claims). This approach allows for greater flexibility within a single API.
+
+```csharp
+services.AddAuthentication(options =>
+{
+	options.DefaultScheme = Consts.MY_POLICY_SCHEME;
+	options.DefaultChallengeScheme = Consts.MY_POLICY_SCHEME;
+
+})
+.AddJwtBearer(Consts.MY_FIRST_SCHEME, options =>
+{
+	options.Authority = "https://your-authority";
+	options.Audience = "https://your-audience";
+	options.TokenValidationParameters = new TokenValidationParameters
+	{
+		ValidateIssuer = true,
+		ValidateAudience = true,
+		ValidateIssuerSigningKey = true,
+		ValidAudiences = Configuration.GetSection("ValidAudiences").Get<string[]>(),
+		ValidIssuers = Configuration.GetSection("ValidIssuers").Get<string[]>()
+	};
+})
+.AddJwtBearer(Consts.MY_AAD_SCHEME, jwtOptions =>
+{
+	jwtOptions.Authority = Configuration["AzureAd:Authority"];
+	jwtOptions.Audience = Configuration["AzureAd:Audience"]; 
+})
+.AddPolicyScheme(Consts.MY_POLICY_SCHEME, displayName: null, options =>
+{
+	options.ForwardDefaultSelector = context =>
+	{
+		string authorization = context.Request.Headers[HeaderNames.Authorization];
+		if (!string.IsNullOrEmpty(authorization) && authorization.StartsWith("Bearer "))
+		{
+			var token = authorization.Substring("Bearer ".Length).Trim();
+			var jwtHandler = new JsonWebTokenHandler();
+
+			if(jwtHandler.CanReadToken(token)) // it's a self contained access token and not encrypted
+			{
+				var issuer = jwtHandler.ReadJsonWebToken(token).Issuer; //.Equals("B2C-Authority"))
+				if (issuer == Consts.MY_THIRD_PARTY_ISS) // Third party identity provider
+				{
+					return Consts.MY_THIRD_PARTY_SCHEME;
+				}
+
+				if (issuer == Consts.MY_AAD_ISS) // AAD
+				{
+					return Consts.MY_AAD_SCHEME;
+				}
+			}
+		}
+
+		// We don't know with it is
+		return Consts.MY_AAD_SCHEME;
+	};
+});
+```
+
 ## Examples
 
 The following example shows a higher level scheme that combines lower level schemes. Google authentication is used for challenges, and cookie authentication is used for everything else:

aspnetcore/security/authentication/policyschemes.md

@@ -1575,6 +1575,8 @@ items:
             uid: security/authentication/cookie
           - name: Configure OIDC web authentication
             uid: security/authentication/configure-oidc-web-authentication
+          - name: Configure JWT bearer authentication
+            uid: security/authentication/configure-jwt-bearer-authentication
           - name: Configure certificate authentication
             uid: security/authentication/certauth
           - name: Configure Windows authentication