ASP.NET Core JWT with Custom Authentication Type

Question

Is there a way to configure the authentication type for the HTTP Authorization header? For example: "Token" instead of "Bearer"?

Consider the following extension method which activates authentication and configures JWT with a custom scheme called "Token":

let jwtScheme = "Token" 

type IServiceCollection with
    member this.AddJwtAuthentication (JwtSecret jwtSecret : JwtSecret) =                 
        this.AddAuthentication(jwtScheme)            
            .AddJwtBearer(jwtScheme, jwtScheme, fun jwt ->                  
                jwt.RequireHttpsMetadata <- false
                jwt.SaveToken <- true 
                                    
                let key = Encoding.ASCII.GetBytes jwtSecret
                let validationParams = TokenValidationParameters()             
                    
                validationParams.IssuerSigningKey <- SymmetricSecurityKey(key)
                validationParams.ValidateIssuerSigningKey <- true
                validationParams.ValidateIssuer <- false
                validationParams.ValidateAudience <- false
                    
                jwt.TokenValidationParameters <- validationParams)                
            |> ignore
        this

This request (with Bearer auth type) is processed successfully:

GET /user HTTP/1.1
Host: https://localhost:5001/api
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9zaWQiOiIxIiwibmFtZWlkIjoicGltIiwibmJmIjoxNTk0NzUxMTA1LCJleHAiOjE1OTUzNTU5MDUsImlhdCI6MTU5NDc1MTEwNX0.G3P7JR97rKG9ckX9UD0kHtZ8sNWOKYsJDrFY5bz3RqE

This request (with Token auth type) is NOT processed successfully:

GET /user HTTP/1.1
Host: https://localhost:5001/api
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Authorization: Token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9zaWQiOiIxIiwibmFtZWlkIjoicGltIiwibmJmIjoxNTk0NzUxMTA1LCJleHAiOjE1OTUzNTU5MDUsImlhdCI6MTU5NDc1MTEwNX0.G3P7JR97rKG9ckX9UD0kHtZ8sNWOKYsJDrFY5bz3RqE

pim pim · Accepted Answer · 2020-07-14T19:18:09

The solution was to plug in to the JwtBearerEvents and strip the Token prefix if it was present:

this.AddAuthentication(jwtScheme)               
    .AddJwtBearer(jwtScheme, fun jwt ->                                  
        let events = JwtBearerEvents()
        
        events.OnMessageReceived <- (fun ctx ->
            let authHeader = ctx.HttpContext.Request.Headers.["Authorization"].ToArray()
            match Array.tryHead authHeader with
            | None   -> ()
            | Some header -> 
                match header.StartsWith("Token ", StringComparison.OrdinalIgnoreCase) with
                | false -> ()
                | true  ->
                    ctx.Token <- header.Substring("Token ".Length).Trim()

            Task.CompletedTask)

        jwt.Events <- events

        // Rest of options ...)                
    |> ignore

ASP.NET Core JWT with Custom Authentication Type

1 Answers