如何将Windows身份验证和JWT与.Net Core 2.1结合使用


我尝试将Windows身份验证和JWT与.NET Core 2.1一起使用.

I have tried to use the windows authentication and JWT together with .NET Core 2.1.


I have following startup settings of the authentication:

services.AddAuthentication(options =>
                    options.DefaultAuthenticateScheme = IISDefaults.AuthenticationScheme;
                    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
                .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options =>
                options.TokenValidationParameters = new TokenValidationParameters
                    ValidateIssuer = true,
                    ValidateAudience = true,
                    ValidateLifetime = true,
                    ValidateIssuerSigningKey = true,

                    ValidIssuer = "Test",
                    ValidAudience = "Test",
                    IssuerSigningKey = JwtSecurityKey.Create("677efa87-aa4d-42d6-adc8-9f866e5f75f7")

                options.Events = new JwtBearerEvents()
                    OnAuthenticationFailed = OnAuthenticationFailed


"iisSettings": {
    "windowsAuthentication": true, 
    "anonymousAuthentication": true, 


I have tried following code snippet to create the JWT token with windows authentication:

    [Authorize(AuthenticationSchemes = "Windows")]
    public class AuthController : ControllerBase
        public IActionResult Token()
            //Setup claims
            var claims = new[]
                new Claim(ClaimTypes.Name, User.Identity.Name),
                //Add additional claims

            //Read signing symmetric key
            var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("677efa87-aa4d-42d6-adc8-9f866e5f75f7"));
            var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);

            //Create a token
            var token = new JwtSecurityToken(
                issuer: "Test",
                audience: "Test",
                claims: claims,
                expires: DateTime.Now.AddMinutes(30),
                signingCredentials: creds);

            //Return signed JWT token
            return Ok(new
                token = new JwtSecurityTokenHandler().WriteToken(token)


And in another controller I need use only JWT authentication:

    [Authorize(AuthenticationSchemes = "Bearer")]
    public class ProductController : ControllerBase
        public IActionResult Get()
            var userName = User.Identity.Name;

            var claims = User.Claims.Select(x => new { x.Type, x.Value });

            return Ok(new { userName, claims });


If the JWT token is expired then I correctly received the response code 401 but I still get the dialog in the browser for putting the credentials.


How can I configure the windows authentication only for a part when I want to create the JWT token and disable response which is responsible for showing the browser dialog with credentials? How to correctly combine these things?


The way I would handle this is to create two different web applications: one for Windows Authentication and one that uses JWT Token Authentication.


The Windows Authentication web application would be very small and only does one thing. Authenticate the user via Windows Authentication at an endpoint and return a JWT Token.


Then, that token can be used for the main application. As long as your signing key and audience is the same, it doesn't matter if the token is created on a different web application.


You won't need to struggle with trying to handle both at the same time.