IdentityServer4 + Web Api + Spa together in one project

Question

I'm having a hard time trying to build a single project where all those things play nicely together.

• Spa
  • StaticFiles
• Web API (MVC)
  • Swagger (Swashbuckle)
• IdentityServer4
  • IdentityServer4.AspNetIdentity
  • IdentityServer4.EntityFramework
  • Social Logins

I've started with the IdentityServer4.Samples\Quickstart6_AspNetIdentity code an integrated nuget after nuget.

            // spa
            app.UseDefaultFiles();
            app.UseStaticFiles();

            app.UseCors("any");

            // api
            app.Map(new PathString("/api"), map =>
            {
                map.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
                {
                    Authority = PublicHostUri,
                    ScopeName = ScopeName,
                    ScopeSecret = "secret",

                    RequireHttpsMetadata = PublicHostUri.ToLower().StartsWith("https"),
                    SaveToken = true,
                    EnableCaching = true
                });

                map.UseMvc();

            });
                // sts
                JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

                app.UseIdentity();
                app.UseIdentityServer();

                // Add external authentication middleware below. To configure them please see http://go.microsoft.com/fwlink/?LinkID=532715
                app.UseCookieAuthentication(new CookieAuthenticationOptions
                {
                    AuthenticationScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme,

                    AutomaticAuthenticate = false,
                    AutomaticChallenge = false
                });

                app.UseTwitterAuthentication(new TwitterOptions
                {
                    ConsumerKey = "6XaCTaLbMqfj6ww3zvZ5g",
                    ConsumerSecret = "Il2eFzGIrYhz6BWjYhVXBPQSfZuS4xoHpSSyD9PI"
                });

                app.UseGoogleAuthentication(new GoogleOptions
                {
                    AuthenticationScheme = "Google",
                    DisplayName = "Google",
                    SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme,

                    ClientId = "434483408261-55tc8n0cs4ff1fe21ea8df2o443v2iuc.apps.googleusercontent.com",
                    ClientSecret = "3gcoTrEDPPJ0ukn_aYYT6PWo"
                });                          

            app.UseMvc(routes =>
            {
                routes.MapRoute(
                    name: "default",
                    template: "{controller=Home}/{action=Index}/{id?}");
            });           

            app.UseSwagger();
            app.UseSwaggerUi();

I'm struggling to isolate the Web API part in such a way that the bearer AuthenticationScheme is the only Authentication thats active in the /api pipeline.

Right now all of the added AuthenticationSchemes like Cookies, Google, Twitter, OIDC, Bearer are used for the /api Route.

What do I miss? Why does /api not only uses the UseIdentityServerAuthentication aka bearer token scheme?

Update: I've shared the working proof of concept code here https://github.com/ChrisRichner/CoreWebApp.Quickstart

Answer 1

You can't use Map to branch app. It is only for specified path. Try to use MapWhen:

        // api
        app.MapWhen(context => context.Request.Path.Value.StartsWith("/api"), builder=>
        {
            builder.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
            {
                Authority = PublicHostUri,
                ScopeName = ScopeName,
                ScopeSecret = "secret",

                RequireHttpsMetadata = PublicHostUri.ToLower().StartsWith("https"),
                SaveToken = true,
                EnableCaching = true
            });

            builder.UseMvc();

        });