# Change the ClaimsIdentity.AuthenticationType in ASP.NET Core with multiple Entra ID schemes.

### Introduction

When building modern web applications, security is always a top priority. In ASP.NET Core, authentication is a key part of ensuring that only authorized users can access specific parts of your application. You may often need to support multiple authentication schemes, such as different Azure Entra ID (formerly Azure AD) configurations, within the same application.

One challenge when using multiple authentication schemes is identifying which scheme authenticated a user. This is where the [`ClaimsIdentity.AuthenticationType`](https://learn.microsoft.com/en-us/dotnet/api/system.security.claims.claimsidentity.authenticationtype?view=net-8.0) property comes into play. Setting this property correctly can help you easily determine the authentication source for a user.

### Understanding `HttpContext.User`

In ASP.NET Core, the `HttpContext.User` property represents the current authenticated user. This user is represented by a `ClaimsPrincipal` object, which contains one or more [`ClaimsIdentity`](https://learn.microsoft.com/en-us/dotnet/api/system.security.claims.claimsidentity?view=net-8.0) objects. Each [`ClaimsIdentity`](https://learn.microsoft.com/en-us/dotnet/api/system.security.claims.claimsidentity?view=net-8.0) represents a specific identity associated with the user, such as a name, roles, and other claims.

By default, the [`AuthenticationType`](https://learn.microsoft.com/en-us/dotnet/api/system.security.claims.claimsidentity.authenticationtype?view=net-8.0) is set to `"AuthenticationTypes.Federation"`. However, when working with multiple authentication schemes, you might want to know exactly which authentication scheme was used to create a particular [`ClaimsIdentity`](https://learn.microsoft.com/en-us/dotnet/api/system.security.claims.claimsidentity?view=net-8.0). This is where setting a custom [`AuthenticationType`](https://learn.microsoft.com/en-us/dotnet/api/system.security.claims.claimsidentity.authenticationtype) can be very useful.

For example, let’s say you want to retrieve the [`AuthenticationType`](https://learn.microsoft.com/en-us/dotnet/api/system.security.claims.claimsidentity.authenticationtype) of the currently authenticated user to determine how they were authenticated:

```csharp
public IActionResult GetAuthenticationType()
{
    var identity = HttpContext.User.Identity as ClaimsIdentity;

    if (identity != null)
    {
        string authenticationType = identity.AuthenticationType;
        return Ok($"User authenticated using: {authenticationType}");
    }

    return BadRequest("No identity found.");
}
```

This example demonstrates how you can access the [`AuthenticationType`](https://learn.microsoft.com/en-us/dotnet/api/system.security.claims.claimsidentity.authenticationtype) in your controller to gain insights into the user's authentication method.

### The Problem with Multiple Authentication Schemes

When you have multiple authentication schemes, such as two different configurations for Azure Entra ID, it's not always clear which scheme authenticated the user. Without setting the [`AuthenticationType`](https://learn.microsoft.com/en-us/dotnet/api/system.security.claims.claimsidentity.authenticationtype), you may not be able to distinguish between the identities created by different schemes. This can be problematic in scenarios where your application's logic depends on the authentication source.

### Setting the `AuthenticationType`

To set the [`AuthenticationType`](https://learn.microsoft.com/en-us/dotnet/api/system.security.claims.claimsidentity.authenticationtype) in ASP.NET Core, you need to configure it in the [`TokenValidationParameters`](https://learn.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters) when setting up your authentication schemes. The [`TokenValidationParameters.AuthenticationType`](https://learn.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters.authenticationtype) property allows you to specify a unique identifier for the authentication scheme, which is then assigned to the [`ClaimsIdentity.AuthenticationType`](https://learn.microsoft.com/en-us/dotnet/api/system.security.claims.claimsidentity.authenticationtype).

For example, let's say you have two Azure Entra ID configurations: one for internal users and another for external partners. You can set up your authentication schemes as follows:

```csharp
public void ConfigureServices(IServiceCollection services)
{
    // Internal users authentication scheme
    services.AddAuthentication("InternalScheme")
        .AddMicrosoftIdentityWebApi(options =>
        {
            options.Instance = "https://login.microsoftonline.com/";
            options.Domain = "internaldomain.com";
            options.ClientId = "your-client-id";
            options.TenantId = "your-tenant-id";

            // Set the AuthenticationType for the internal scheme
            options.TokenValidationParameters.AuthenticationType = "Internal";
        });

    // External partners authentication scheme
    services.AddAuthentication("ExternalScheme")
        .AddMicrosoftIdentityWebApi(options =>
        {
            options.Instance = "https://login.microsoftonline.com/";
            options.Domain = "externaldomain.com";
            options.ClientId = "your-client-id";
            options.TenantId = "your-tenant-id";

            // Set the AuthenticationType for the external scheme
            options.TokenValidationParameters.AuthenticationType = "External";
        });
}
```

### Retrieving the `AuthenticationType`

Now that you've configured the [`AuthenticationType`](https://learn.microsoft.com/en-us/dotnet/api/system.security.claims.claimsidentity.authenticationtype) for each scheme, you can retrieve it later in your code to determine which scheme authenticated the user:

```csharp
public IActionResult GetUserIdentity()
{
    var identity = HttpContext.User.Identity as ClaimsIdentity;

    if (identity != null)
    {
        string authenticationType = identity.AuthenticationType;
        return Ok($"User authenticated using: {authenticationType}");
    }

    return BadRequest("No identity found.");
}
```

### Conclusion

By setting the [`AuthenticationType`](https://learn.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters.authenticationtype) in the [`TokenValidationParameters`](https://learn.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters), you can clearly distinguish between different authentication schemes in ASP.NET Core. This approach is especially useful when your application needs to support multiple authentication sources, such as different Azure Entra ID configurations. With this setup, you'll be able to write more precise and secure authentication logic in your application.
