I want to create a web API service which exposes a resource that can be accessed using either a client certificate OR a JWT token for authentication.
I found some middleware that validates a client certificate and some nice instructions how to create your own authentication middleware. Microsoft has middleware OAuthBearerAuthenticationMiddleware that validates JWT tokens. Obviously I can't just install them both as the first middleware will terminate the pipeline when authentication fails.
So I thought I would create a composite authentication middleware class that owns two AuthenticationHandler objects and would call AuthenticateAsync() for the handlers from its AuthenticateCoreAsync() until one returns a valid AuthenticationTicket. The problem is that the CreateHandler methods in the AuthenticationMiddleware class are protected, so I can't seem to compose these objects.
I cannot instantiate the OAuthBearerAuthenticationHandler class myself as it is internal.
How can I re-use these existing middleware components to enable both types of authentication without copying the code into my own handler?
Or am I going about this the wrong way and is there another way of having two authentication methods on the same web API service?
It is actually not true that authentication middleware terminates the pipeline when authentication fails. It is designed to be composable.
Every middleware can contribute zero or one identity which becomes a ClaimsPrincipal in the end.