Hi,
we went with that approach which works quite well:
services
.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultSignInScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(AuthenticationSchemes.PrismIdentity, options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidIssuer = Configuration["OIDC:Identity1:Issuer"],
ValidateIssuer = true,
RequireAudience = true,
ValidAudience = Configuration["OIDC:Identity1:Audience"],
ValidateAudience = true,
ClockSkew = TimeSpan.FromMinutes(5),
RequireSignedTokens = true,
RequireExpirationTime = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true
};
options.MetadataAddress = Configuration["OIDC:Identity1:MetadataUrl"];
options.RefreshOnIssuerKeyNotFound = true;
options.RequireHttpsMetadata = true;
options.Validate(); // throws on failure
})
.AddJwtBearer(AuthenticationSchemes.CkoIdentity, options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidIssuer = Configuration["OIDC:Identity2:Issuer"],
ValidateIssuer = true,
ValidAudience = Configuration["OIDC:Identity2:Audience"],
RequireAudience = true,
ValidateAudience = true,
ClockSkew = TimeSpan.FromMinutes(5),
RequireSignedTokens = true,
RequireExpirationTime = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true
};
options.MetadataAddress = Configuration["OIDC:Identity2:MetadataUrl"];
options.RefreshOnIssuerKeyNotFound = false;
options.RequireHttpsMetadata = true;
options.Validate(); // throws on failure
});
Hope this helps