microsoft-identity-web: [Bug] 'Scheme already exists: Bearer' when trying to setup both AAD and AAD B2C auth

Which version of Microsoft Identity Web are you using? 0.2.3-preview

Where is the issue?

I’m trying to make my ASP.NET Core Web API compatible with both AAD tokens issued on behalf of applications as well as AAD B2C tokens issued on behalf of users, but run into errors when trying to configure both entries in my appsettings.json file. If I only initialize AddMicrosoftWebApi once, then I get issues verifying JWT signature when the token is generated using the identity provider that was left out.

Is this a new or an existing app? c. This is a new app

Repro

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
             .AddMicrosoftWebApi(this.Configuration, "AzureAd")
             .AddMicrosoftWebApi(this.Configuration, "AzureAdB2C")

Expected behavior ASP.NET Core app is setup to validate tokens issued from both identity providers.

Actual behavior Error during startup: InvalidOperationException: 'Scheme already exists: Bearer'

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 4
  • Comments: 23 (7 by maintainers)

Most upvoted comments

@AzureAD/azure-ad-app-content-authors

You added twice the same authentication scheme. You’d need to use a different name for the jwtBearerScheme parameter in one of your calls. for instance:

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
             .AddMicrosoftWebApi(this.Configuration, "AzureAd")
             .AddMicrosoftWebApi(this.Configuration, "AzureAdB2C", "jwtBearerScheme2")

BTW, the default one will be “Bearer” (JwtBearerDefaults.AuthenticationScheme).

+3
jmprieur on Aug 10, 2020

Thanks everyone for feedback. A fix is in PR #475 (which will be included in the next release). Also added a small section to the wiki related to this.

+2
pmaytak on Aug 28, 2020

Thanks everybody @pmaytak it might be worth describing the appconfig.json, and possibly the attribute Thx

+1
jmprieur on Aug 28, 2020

@jmprieur Just testing a solution and will write a wiki article.

+1
pmaytak on Aug 27, 2020

@timClyburn I’m not exactly sure but I think if you just try to submit a pull request, the CLA bot will post a link where to sign the CLA. image

+1
pmaytak on Aug 20, 2020

@tymtam2 The second stage is separate from the first in the same way Authorization is separate from Authentication in ASP.NET. The problems I’m describing all occur in the first stage when attempting to authenticate Bearer tokens created by two different issuers: AAD and AAD B2C.

You can see in your first code snippet that the docs show how to specify two different authorities. The issue I’m seeing with this library is that .AddMicrosoftWebApi(this.Configuration, "AzureAdB2C") should handle that part, but there’s likely a bug in how it pulls and stores the configuration.

+1
pheuter on Aug 13, 2020

One thought that just occurred to me is if it’s even possible to support passing different Authorization: Bearer tokens to the same Web Api that are issued by different providers, i.e. one from Active Directory and another from AAD B2C?

EDIT: This documentation section suggests it should be possible, but unclear how to set it up using Microsoft Identity Web.

+1
pheuter on Aug 10, 2020
Read more comments on GitHub
← microsoft-identity-web: [Bug] Redirect URI is set to http instead of https when deploying to Azure App Service for Docker container (Linux)
microsoft-identity-web: [Bug] Set option "GetClaimsFromUserInfoEndpoint" should go to user info endpoint →