Dynamic Authentication Based on Resource

[justinhelgerson]

I've been really struggling to find a good path forward on a security requirement we're working on solving. At a high level, we want to route users to different authentication providers depending on how the customer resource is configured. In some cases we want to use Open Id Connect (a single provider--not a dynamic OIDC provider), cookie authentication or allow anonymous access.

Initially I thought the IAuthenticationSchemeProvider might be our ticket, but quickly realized that wouldn't be useful because it's a singleton and we're unable to inject a database context to determine our authentication provider.

Right now it looks like our only door might be to create a custom AuthorizeAttribute which determines if someone is authenticated & authorized to access the resource, and if not send set the right ChallengeResult. However, between statements from folks on the ASP.NET Core team and the lack of documentation, it clearly feels like that's not a strongly recommended approach. But after staring at GitHub issues and the docs for multiple days, I'm failing to see a more appropriate way of supporting this use-case.

I'd appreciate any guidance on building a mechanism which can support different authentication providers (or bypass, in the case of allowing anonymous access) based on the different resources being accessed.

[Tratcher]

That's handled by authorization policies, which can specify an authentication scheme. You do not need a custom AuthorizeAttribute, you use the standard one and specify an authorization policy name.
https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-3.1