I have two .NET 5 projects:
- A WebAPI that provides data to a Xamarin mobile app (with Auth0 Xamarin libs)
- A Blazor server-side project for admin management of the data that feeds the WebAPI
I successfully wired up each these projects with Auth0 and three identity providers (Facebook, Google, Twitter). I can successfully login/logout out of my mobile app with Auth0, and I can successfully login/logout of the Blazor app. I have also successfully wired up role-based-auth for each; I have my Blazor pages decorated with the role-based [Authorize(Roles = "MyCustomRole")]
annotation, and the pages properly allow only users with the correct role to access them. I have not yet added role-based auth annotations to my WebAPI controllers and methods, but I can see the roles represented in the decoded JWT, so I know that roles are present in the ClaimsPrincipal (user). The WebAPI app uses JWT. The Blazor app uses cookie-based session auth. I was able to get both of these working by following Auth0 how-to articles.
I decided to combine these two separate projects into a single .NET project, primarily so that I can host a single web application instead of two. I accomplished this combination of projects successfully; the Blazor app and the WebAPI now run in the same host instance.
However…I can’t seem to get the app to use both JWT and cookies. I’m not sure, but it seems like it may be because I have to specify DefaultAuthenticateScheme
, DefaultSignInScheme
, and DefaultChallengeScheme
as either cookie-based or JWT-based; and I can’t specify both:
services
.AddAuthentication(
options => {
// I believe this may be where the problem is: I can't specify both cookie auth AND JWT auth; it has to be one or the other.
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
If I set these options using CookieAuthenticationDefaults.AuthenticationScheme
, then role-based auth works properly in the Blazor app, but the ClaimsPrincipal
in my WebAPI app contains an empty Claims
collection.
If I set these options using JwtBearerDefaults.AuthenticationScheme
, then role-based auth stops working in the Blazor app, but in the WebAPI project I see the Claims
collection property contains items, one of which has the expected role values.
Am I correct in my assessment that I can’t specify both cookie-based auth and JWT-based auth in the same hosted application? Will I be forced to keep the projects separate and run them in separate host instances so that I can specify different auth types for each?
Here’s a gist of my Startup.cs: