Multiple authentication schemes do not work on Azure (app fails to start)

Jörg Auberg 20 Reputation points
2023-01-20T12:55:41.74+00:00

I try to work with two app registrations that uses one app service.

appsettings.json

"AzureAdInternal": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "demo.example.com",
    "TenantId": "tenantId",
    "ClientId": "clientId",
    "ClientSecret": "clientSecret",
    "CallbackPath": "/signin-oidc"
  },
  "AzureAdExternal": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "demo.example.com",
    "TenantId": "tenantId",
    "ClientId": "clientId",
    "ClientSecret": "clientSecret",
    "CallbackPath": "/signin-oidc"
	}

Program.cs

// Multiple authentication (internal/external)
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection(Configuration.AzureActiveDirectoryInternalIdentifier), 
    OpenIdConnectDefaults.AuthenticationScheme)
        .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
            .AddMicrosoftGraph(builder.Configuration.GetSection(Configuration.MicrosoftGraphIdentifier))
            .AddInMemoryTokenCaches();

builder.Services.AddAuthentication()
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection(Configuration.AzureActiveDirectoryExternalIdentifier),
    "AzureAD", "cookiesAzureAD")
        .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
            .AddMicrosoftGraph(builder.Configuration.GetSection(Configuration.MicrosoftGraphIdentifier))
            .AddInMemoryTokenCaches();

Locally, it works, but during the publishing process in VS2022 the app fails to start.

Unhandled exception. System.InvalidOperationException: Scheme already exists: AppServicesAuthentication
   at Microsoft.AspNetCore.Authentication.AuthenticationOptions.AddScheme(String name, Action`1 configureBuilder)
   at Microsoft.AspNetCore.Authentication.AuthenticationBuilder.<>c__DisplayClass4_0`2.
ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,678 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,038 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. JasonPan - MSFT 5,991 Reputation points Microsoft Vendor
    2023-01-25T07:01:23.0233333+00:00

    Hi @Jörg Auberg,

    It seems that you have a misunderstanding about the multi-tenant app.

    When we create an app in App Registrations, we are already asked to choose whether the type of app is single-tenant or multi-tenant.

    So in the appsetting.json code, we only need to configure the configuration of an AzureAd. TenantId needs to be modified to common.

    Up to now, not all users of the organization can log in, and the administrator of the other tenant needs to authorize it, please refer to the following document.

    Grant tenant-wide admin consent to an application


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,

    Jason


  2. Ryan Hill 29,291 Reputation points Microsoft Employee
    2023-02-18T05:52:00.5766667+00:00

    @Jörg Auberg

    I dug a little deeper into this and it seems like you're doing something very similar to https://github.com/AzureAD/microsoft-identity-web/wiki/multiple-authentication-schemes. So, when reviewing the error message you're getting, an AppServicesAuthentication scheme is being added. I was able to find that being used as a constant in AppServicesAuthenticationDefaults. It depends on when you're getting the exception, but I'm willing to bet your second call to builder.Services.AddAuthentication() is attempting to add the scheme with that default name.

    To fix, you can either add different scheme name, or determine where that scheme name is being added to the services collection.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.