Adding or Changing AzureAD information runtime

[AnkHansen]

Hi

We are extending our existing API to support authenticating with a Azure AD token.

Our customers will/must be able to configure options on their site, and supply TenantId and ClientId and enable/disable AzureAD integration when their users login in to our system.

Once authenticated with Azure token we still use our own JWT tokens as accesstokens, that contain a mapping to the user in our system and the rights granted to them.

The API's run one instance per customer.

So I need to support both the existing JWTBearer authentication and Azurea AD Authentication.

I have it working using Microsoft.Identity.Web and calling AddMicrosoftIdentityWebApi during startup supplying TenantId ,ClientId and Instance from our options. And are in control of how I enable/disable Azure AD as long as the options are set BEFORE the API starts.

My problem is to figure out how (if possible) I can call AddMicrosoftIdentityWebApi on the AuthenticationBuilder in the following scenario.

1. The customer has their site running as it is today, with only our own JWT based authentication, using username/password stored in our system.
2. The customer then changes options, adds TenantId and ClientId and enables AzureAD integration.
3. Now - the API Authentication settings should be updated to add MS Identity handler with the correct TenantId and ClientId.

It's not a very good solution that the API has to be shut down and restarted before the settings take effect.

Ideally, I would call "something" after our Options has been saved, and reconfigure the AuthenticationBuilder from scratch to ensure the current "instance" runs with the correct setup.

My current setup of the Authentication builder is pasted below, which works when API is restarted if Options change.

I hope someone can shine some light on what is possible in a scenario like this.

1. Either we run just with our JWT bearer
2. Or we run with both our JWT bearer and AzureAD bearer
3. Runtime changes in options will switch if we have Azure information in options and will enable/disable AzureAD

/Anders

var adInfo = ourOptions.GetAzureADInformation();
const string ourSchemeSelector = "OurWebApi";
const string azureAdSchemeSelector = "AzureAD";

var authBuilder = services
    .AddAuthentication(options => options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme)
    .AddPolicyScheme(JwtBearerDefaults.AuthenticationScheme, "Selector",
        options =>
        {
            options.ForwardDefaultSelector = context =>
            {
                StringValues authHeaders;
                if(adInfo.UseAzureAD && context.Request.Headers.TryGetValue(HeaderNames.Authorization, out authHeaders))
                {
                    foreach (var header in authHeaders)
                    {
                        if (header.Length > JwtBearerDefaults.AuthenticationScheme.Length +1)
                        {
                            var encodedToken = header.Substring(JwtBearerDefaults.AuthenticationScheme.Length + 1);
                            var jwtHandler = new JwtSecurityTokenHandler();
                            var decodedToken = jwtHandler.ReadJwtToken(encodedToken);

                            if (decodedToken?.Issuer == JwtSettings.Instance.Issuer)
                            {
                                return ourSchemeSelector;
                            }
                            else
                            {
                                return azureAdSchemeSelector;
                            }
                        }
                    }
                }

                return ourSchemeSelector;
            };
        })
    .AddJwtBearer(ourSchemeSelector, options =>
    {
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidIssuer = JwtSettings.Instance.Issuer,

            ValidateAudience = true,
            ValidAudience = JwtSettings.Instance.Audience,

            ValidateIssuerSigningKey = true,
            IssuerSigningKey = JwtSettings.Instance.SecurityKey,

            RequireExpirationTime = true,
            ValidateLifetime = true,
            ClockSkew = TimeSpan.Zero
        };
    });

    if (adInfo.UseAzureAD)
    {
        authBuilder.AddMicrosoftIdentityWebApi(jwtBearerOptions =>
            {
                jwtBearerOptions.TokenValidationParameters.NameClaimType = "name";
            },
            msIdentityOptions =>
            {
                msIdentityOptions.TenantId = adInfo.TenantId;
                msIdentityOptions.ClientId = adInfo.ClientId;
                msIdentityOptions.Instance = "https://login.microsoftonline.com/";
            },
            azureAdSchemeSelector);
    }

[AnkHansen]

Been investigating a bit - but still stuck.

I've come so far that I figured that if I inejct IOptions into my controller endpoint - I can see/investigate the Authentication schemes as AuthenticationSchemeBuilders.

All I need to now is just replace or add the "AzureAD" configured scheme.

But I have failed to find a way to get help from the Microsoft.Identity.Web framework to build a scheme unless I have the IServiceCollection to start from - which I only have during startup.

So cant call AddMicrosoftIdentityWebApi and cant seem to find another extension method that can solve it for me.

Any suggestions?

[AnkHansen]

The AuthenticationOptions.AddScheme(..) gives me a AuthenticationSchemeBuilder - not an AuthenticationBuilder like AddMicrosoftIdentityWebApi is extension method on.

[AnkHansen]

According to my understanding the AuthenticationBuilder is intended to be used during setup in the ConfigureServices step.

Is it real that there is no way to reconfigure these settings runtime? There must be other service where the end-user enters the application and clientid for their Azure AD - and then the API needs to reconfigure.

Have searched high and low, asked ChatGPT, but can't seem to figure out how.

Shipping first version tomorrow - and will live with the requirement of a the restart - just seems odd reconfiguring isn't a feature. (or that I can't figure out how to look it up)

[jmprieur]

@AnkHansen
The IOptions are not meant to be updated once the service provider (dependency injection is done).

Did you try the ASP.NET Core hot reload feature? (dotnet watch). I would think you could change the configuration and this would hot-reload the app (But I'm not too sure it's the case)

[AnkHansen]

@jmprieur
Thanks for the reply.
That was my conclusion as well, but thanks for clarifying.

Our API's (one per customer) are hosted in IIS and does not run with dotnet watch in production.

I will look into more or less automated restarts for now. First version shipped today will be with manual restart or waiting in IIS automatic recycling/idle timeout.