Last post Jun 01, 2020 07:12 AM by Brando ZWZ
May 28, 2020 09:04 AM|rick1c|LINK
I am writing an ASP.NET Core Web App which has 2 authentication schemes. One is a simple cookie based scheme, the other uses OAuth. The OAuth authentication scheme is only used to log onto a government web site and make api calls. The app has a database
and when I save records I want to save the CreatedBy and ModifiedBy using the username from the Cookie authentication scheme.
When I log in using the Cookie authentication, the User.Identity and User.Identities are set as expected with the identity of the cookie authentication. However if I then access a page which requires authentication by the OAuth authentication scheme, then
I can no longer get the username from the cookie based authentication. It doesn't appear in User.Identity or User.Identities.
Authentication is set up as follows:
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = "OAuthTest";
.AddOAuth("OAuthTest", options =>
options.ClientId = Configuration["HMRC:ClientId"];
options.ClientSecret = Configuration["HMRC:ClientSecret"];
options.CallbackPath = new PathString("/account/auth-redirect");
options.AuthorizationEndpoint = "https://test-api.service.hmrc.gov.uk/oauth/authorize";
options.TokenEndpoint = "https://test-api.service.hmrc.gov.uk/oauth/token";
options.SaveTokens = true;
options.Events = new OAuthEvents
OnCreatingTicket = async context =>
var claims = new List<Claim>
new Claim(ClaimTypes.NameIdentifier, Guid.NewGuid().ToString())
var identity = new ClaimsIdentity(claims, "OAuthTest", ClaimTypes.NameIdentifier, null);
I have added this Authorize attribute to a page which requires the cookie base authentication:
[Authorize(AuthenticationSchemes = CookieAuthenticationDefaults.AuthenticationScheme)]
and this Authorize attribute to the page which requires OAuth authentication:
[Authorize(AuthenticationSchemes = "OAuthTest")]
I have pushed a cut down version of the application to github. This just has 2 pages one authorised by each authentication scheme. The SignIn button automatically logs into the Cookie Authentication scheme. Both pages display the data contained in
User.Identity and User.Identities.
May 29, 2020 07:22 AM|Brando ZWZ|LINK
As far as I know, if the user access a page which requires authentication by the OAuth authentication scheme, it will set the user claim from oauth not cookie auth scheme. This is the reason why you couldn't get the username from the cookie based authentication.
They has been reset.
May 30, 2020 08:42 AM|rick1c|LINK
Thanks for the response.
I just assumed that the Identities collection would contain all of the logged in Identities. If you subsequently access a page that requires the cookie authentication, the Identity and Identities remains with the OAuth authentication.
I need to come up with another way of storing the user name from the cookie authentication.
Surely this is not unusual. I also want to display the logged in user name on the page, but at the moment it is lost.
Anybody any ideas on best practice?
Jun 01, 2020 07:12 AM|Brando ZWZ|LINK
In my opinion, you could use cookie to store oauth user name and cookie auth user name. Then you could get the last logon in cookie auth username or oauth username.