When using multiple jwt authentication schemes, the last scheme always falls in 401 with Bearer error="invalid_token", error_description="The signature key was not found" and Bearer error="invalid_token", error_description="The signature is invalid" x2 in 3 separate WWW-Authenticate headers.
To Reproduce JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(ConfigureJwtBearer.CreateJwtBearer(env, settings, "authority 1"))
.AddJwtBearer("Staging", ConfigureJwtBearer.CreateJwtBearer(env, settings, "authority 2"))
.AddJwtBearer("Prod",ConfigureJwtBearer.CreateJwtBearer(env, settings, "authority 3"));
services.AddAuthorization(options =>
{
var defaultAuthorizationPolicyBuilder = new AuthorizationPolicyBuilder(
JwtBearerDefaults.AuthenticationScheme,
"Staging", "Prod");
defaultAuthorizationPolicyBuilder =
defaultAuthorizationPolicyBuilder.RequireAuthenticatedUser();
options.DefaultPolicy = defaultAuthorizationPolicyBuilder.Build();
});
public static Action<JwtBearerOptions> CreateJwtBearer(IHostEnvironment env, AuthenticationSettings settings,
string authority)
{
return options =>
{
options.Authority = authority;
options.RequireHttpsMetadata = settings.RequireHttpsMetadata;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "sub",
ValidateIssuer = true,
ValidateAudience = false,
ValidateLifetime = true,
RequireSignedTokens = true,
ValidateIssuerSigningKey = true
};
};
}
The first two schemes work but the Prod scheme doesn't. If I put the Prod scheme before the Staging scheme, Prod works and Staging doesn't.
Exceptions (if any) Further technical detailsRetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4