-
Notifications
You must be signed in to change notification settings - Fork 25.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AzureADDefaults.JwtBearerAuthenticationScheme vs AzureADDefaults.BearerAuthenticationScheme #19226
Comments
Hello @SaebAmini ... Those are two different auth methods for different purposes ... cookie vs. JS. The topic isn't switching ... it only indicates that for the |
So why is this guide using two auth schemes? it seems to be constantly talking about the JWT scheme in the text, while just one piece of code is using BearerAuthenticationScheme. Thanks for introducing me to StackOverflow! but this isn't a "general security question", it's an issue I find with your docs, which TBH on the topic of auth are notorious. |
Two auth schemes because authenticating users against Azure AD uses one scheme, while the API calls to the server API (coming from MSAL/JS in the client) uses the other scheme. I wouldn't characterize the topic as constantly mentioning the "JWT scheme." It mentions JWT in a few spots. I do agree that none of the reasoning for the setup/configuration is explained in detail. This doc is a 'how to' ... more of a tutorial ... than a reference topic that seeks to explain the services and API in detail. Those concepts are general security concepts for Azure AD/API as far as this topic is concerned. I will keep an eye out for feedback asking for more detail. If we get more feedback, then I'll see if I can quickly add more info. Right now, it's best to leave this topic focused on the setup/config and not get too deep into the weeds. When I remarked that you should ask general questions on support channels, I meant if you wanted to discuss security concepts generally. I apologize for the way that it's phrased. It's literally a saved reply in GitHub that we use. Discussions generate a lot of pings on this repo that distract from actionable doc issues. We have ~500 issues for over 400 topics and 100 sample apps with only four doc authors 🏃😅. Therefore, we often request and suggest the chats and SO for general discussion. It's just a stock recommendation that we make. It wasn't specific for this issue. |
Rex, you know we all love you mate ❤. I've always been impressed with how you do an amazing job answering all the issues raised here so quickly and with so much helpful information. Sorry I got a bit grouchy with the canned response. I think the main reason was not that I expected to find all the information in this "how-to" or get them from you, but that the information in other places is also so fragmented and hard to find - I couldn't really find any good reference docs either. For example, do a Google search for the two auth schemes above and a search for JwtBearerAuthenticationScheme in your own Microsoft docs. Not much comes up and the only thing in Google that comes up from MS Docs is the above Blazor page. I know for you guys who are intimately familiar with all of this stuff and are in close contact with the teams that have built them, these might be obvious questions. But I'm just saying, finding specific information on auth in your docs is pretty difficult and the info is so fragmented and I know many peeps who share the same feeling. I understand the team is small and can't deal with general questions; maybe having some reference links below these "how-to" articles for people who want to find out/delve more into some of the topics could help with that? |
Hi @guardrex ! Thank you for explaining the concepts and that shades a bit more information for us to learn and understand. Actually I run into the same issue and spend days to figure out how-to for my case. You replied:
Questions:
Thank you very much!! |
Months later, I come across the same article and this very issue @guardrex. I know your team is shorthanded and busy, but again, I have to disagree that this is a general security question and believe you've closed it in error. This is about types in the
Followed by a line of code that then sets
... okay, what's going on? as a reader I'm confused here. See, your library also has a Let's look at the the advertised auth schemes topic - well that makes perfect sense and is clear as it's using two distinct and well named schemes ( Let's search for these scheme names, but other than this very GitHub issue and code, not much else comes up. At this point the only way to understand the difference on what these really mean and how they differ is only digging in the code and that's a gap in documentation. That gap might be in ASP.NET Core land, Identity land, or just simple XML code documentation, but it's a gap. Re the explanation that one is for cookies and one for JS, I'm assuming you meant |
Let me get back to you next week @SaebAmini ... As you know, .NET 5 just released. I'm still playing catch-up with some bits (the AAD groups and roles guidance for Identity v2.0/5.0). I'm fairly focused on that for the next few days into next week. I've left your issue ping in my Inbox, so I won't lose track of this. EDIT ... I just re-opened this issue. That's best. |
any updates on this issue? I also have the same question. TIA |
Nothing yet outside of my original answers ☝️, which I think are correct. As I mentioned earlier, you can converse with security pros further on the usual support channels, and there are other docs in MS Security & Identity and provided by the community that may help. I'll get to this issue as soon as I can, but I'm still 🏃😅⛰️⛏️ on high priority issues. |
I'll be closing this now ...
|
The docs mention that on the server-side, we should add authentication via
But since it's using JWT, shouldn't it be the JWT scheme instead?
The guide seems to be switching between the two schemes throughout the guide which is also a bit confusing. Are these two schemes actually interchangeable?
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: