According to MSDN, we have that
The authentication middleware that is responsible for validating the request credentials and setting the user on the request context
app.UseAuthentication()
The IdentityServer middleware that exposes the OpenID Connect endpointsapp.UseIdentityServer()
However, checking the latter method declaration, I see the following, which appears to me that it's unnecessary to invoke the former.
public static IApplicationBuilder UseIdentityServer(
this IApplicationBuilder app,
IdentityServerMiddlewareOptions options = null)
{
app.Validate();
app.UseMiddleware<BaseUrlMiddleware>();
app.ConfigureCors();
if (options == null) options = new IdentityServerMiddlewareOptions();
options.AuthenticationMiddleware(app);
app.UseMiddleware<MutualTlsEndpointMiddleware>();
app.UseMiddleware<IdentityServerMiddleware>();
return app;
}
I see nothing about UseAuthorization, though. So my conclusion is that the general approach presented here (i.e. first authentication, then authorization), may be reformulated in my case to the following. While I can (should?) skip the second line, I can't remove the third (since I'm using e.g. [Authorize] attribute in the project).
builder.UseIdentityServer();
//builder.UseAuthentication();
builder.UseAuthorization();
Is that correct?
You don't need the UseAuthentication() part, as that is already added by UseIdentityServer() under the hood as you mentioned in the question.
But you need to keep the UseAuthorization() part.