Multiple Auth Servers with .net core 3.1

We are trying to configure 2 different Authorization Servers for one API application. However when we use the “Okta.AspNetCore” nuget package and try to register each Authorization Server we receive the following error: “Scheme already exists: Bearer”. We believe this is because we can’t name the scheme. Is there a way to configure 2 different Authorization Servers in .net core? Below is a code example of what I’m doing in the Startup.cs configuration.

services.AddAuthentication(options => {
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; })
.AddOktaWebApi(new OktaWebApiOptions { OktaDomain = "{oktaConfig.Domain}", Audience = “{oktaConfig.Audience}”, AuthorizationServerId = "{oktaConfig.AuthorizationServerId}" }) .AddOktaWebApi(new OktaWebApiOptions /*Not sure how to change the scheme name here from bearer*/ { OktaDomain = “{oktaConfig.Domain}”,
Audience = "{oktaConfig.MobileAudience}", AuthorizationServerId = “{oktaConfig.MobileAuthorizationServerId}” });
services.AddAuthorization(options =>
{
options.DefaultPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes(“Bearer”)
.Build();
options.AddPolicy(“UpdatedPolicy”,
policy =>
{
policy.RequireAuthenticatedUser()
.AddAuthenticationSchemes(“Bearer”) /should we be able to reference a different scheme name here?/
.Build();
});
});

Hi,

we went with that approach which works quite well:

https://docs.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme?view=aspnetcore-5.0#use-multiple-authentication-schemes

           services
            .AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultSignInScheme = JwtBearerDefaults.AuthenticationScheme;
            })
            .AddJwtBearer(AuthenticationSchemes.PrismIdentity, options =>
            {
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidIssuer = Configuration["OIDC:Identity1:Issuer"],
                    ValidateIssuer = true,
                    RequireAudience = true,
                    ValidAudience = Configuration["OIDC:Identity1:Audience"],
                    ValidateAudience = true,
                    ClockSkew = TimeSpan.FromMinutes(5),
                    RequireSignedTokens = true,
                    RequireExpirationTime = true,
                    ValidateLifetime = true,
                    ValidateIssuerSigningKey = true
                };
                options.MetadataAddress = Configuration["OIDC:Identity1:MetadataUrl"];
                options.RefreshOnIssuerKeyNotFound = true;
                options.RequireHttpsMetadata = true;
                options.Validate(); // throws on failure
            })
            .AddJwtBearer(AuthenticationSchemes.CkoIdentity, options =>
            {
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidIssuer = Configuration["OIDC:Identity2:Issuer"],
                    ValidateIssuer = true,
                    ValidAudience = Configuration["OIDC:Identity2:Audience"],
                    RequireAudience = true,
                    ValidateAudience = true,
                    ClockSkew = TimeSpan.FromMinutes(5),
                    RequireSignedTokens = true,
                    RequireExpirationTime = true,
                    ValidateLifetime = true,
                    ValidateIssuerSigningKey = true
                };
                options.MetadataAddress = Configuration["OIDC:Identity2:MetadataUrl"];
                options.RefreshOnIssuerKeyNotFound = false;
                options.RequireHttpsMetadata = true;
                options.Validate(); // throws on failure
            });

Hope this helps