handle anonymous controller

src/Microsoft.Identity.Web/TokenAcquisition.cs

@@ -12,12 +12,14 @@
 using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Authentication.OAuth;
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.AspNetCore.Components.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.Extensions;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using Microsoft.Extensions.Primitives;
@@ -41,7 +43,7 @@ internal partial class TokenAcquisition : ITokenAcquisitionInternal
         ///  Please call GetOrBuildConfidentialClientApplication instead of accessing this field directly.
         /// </summary>
         private IConfidentialClientApplication? _application;
-        private bool retryClientCertificate;
+        private bool _retryClientCertificate;
         private readonly IHttpContextAccessor _httpContextAccessor;
         private HttpContext? CurrentHttpContext => _httpContextAccessor.HttpContext;
         private readonly IMsalHttpClientFactory _httpClientFactory;
@@ -194,7 +196,7 @@ public async Task AddAccountToCacheFromAuthorizationCodeAsync(
                 _application = null;
 
                 // Retry
-                retryClientCertificate = true;
+                _retryClientCertificate = true;
                 await AddAccountToCacheFromAuthorizationCodeAsync(context, scopes, authenticationScheme).ConfigureAwait(false);
             }
             catch (MsalException ex)
@@ -204,7 +206,7 @@ public async Task AddAccountToCacheFromAuthorizationCodeAsync(
             }
             finally
             {
-                retryClientCertificate = false;
+                _retryClientCertificate = false;
             }
         }
 
@@ -290,7 +292,7 @@ public async Task<AuthenticationResult> GetAuthenticationResultForUserAsync(
                 _application = null;
 
                 // Retry
-                retryClientCertificate = true;
+                _retryClientCertificate = true;
                 return await GetAuthenticationResultForUserAsync(scopes, tenantId: tenantId, userFlow: userFlow, user: user, tokenAcquisitionOptions: tokenAcquisitionOptions).ConfigureAwait(false);
             }
             catch (MsalUiRequiredException ex)
@@ -304,7 +306,7 @@ public async Task<AuthenticationResult> GetAuthenticationResultForUserAsync(
             }
             finally
             {
-                retryClientCertificate = false;
+                _retryClientCertificate = false;
             }
         }
 
@@ -397,12 +399,12 @@ public Task<AuthenticationResult> GetAuthenticationResultForAppAsync(
                 _application = null;
 
                 // Retry
-                retryClientCertificate = true;
+                _retryClientCertificate = true;
                 return GetAuthenticationResultForAppAsync(scope, tenant: tenant, tokenAcquisitionOptions: tokenAcquisitionOptions);
             }
             finally
             {
-                retryClientCertificate = false;
+                _retryClientCertificate = false;
             }
         }
 
@@ -598,14 +600,15 @@ public string GetEffectiveAuthenticationScheme(string? authenticationScheme)
             }
             else
             {
-                return (CurrentHttpContext?.GetTokenUsedToCallWebAPI() != null)
-                 ? JwtBearerDefaults.AuthenticationScheme : OpenIdConnectDefaults.AuthenticationScheme;
+                return _serviceProvider.GetService<IAuthenticationSchemeProvider>()?.GetDefaultAuthenticateSchemeAsync()?.Result?.Name ??
+                    ((CurrentHttpContext?.GetTokenUsedToCallWebAPI() != null)
+                    ? JwtBearerDefaults.AuthenticationScheme : OpenIdConnectDefaults.AuthenticationScheme);
             }
         }
 
         private bool IsInvalidClientCertificateError(MsalServiceException exMsal)
         {
-            return !retryClientCertificate &&
+            return !_retryClientCertificate &&
                 string.Equals(exMsal.ErrorCode, Constants.InvalidClient, StringComparison.OrdinalIgnoreCase) &&
                 exMsal.Message.Contains(Constants.InvalidKeyError, StringComparison.OrdinalIgnoreCase);
         }

tests/Microsoft.Identity.Web.Test/TokenAcquisitionAuthorityTests.cs

@@ -3,6 +3,8 @@
 
 using System.Globalization;
 using System.Net.Http;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.Extensions.Caching.Memory;
 using Microsoft.Extensions.DependencyInjection;
@@ -35,7 +37,6 @@ private void InitializeTokenAcquisitionObjects()
                 _provider.GetService<IHttpClientFactory>(),
                 _provider.GetService<ILogger<TokenAcquisition>>(),
                 _provider);
-            _tokenAcquisition.GetOptions(OpenIdConnectDefaults.AuthenticationScheme);
         }
 
         private void BuildTheRequiredServices()
@@ -45,9 +46,10 @@ private void BuildTheRequiredServices()
                 provider => _microsoftIdentityOptionsMonitor);
             services.AddTransient(
                 provider => _applicationOptionsMonitor);
-            services.Configure<MergedOptions>(OpenIdConnectDefaults.AuthenticationScheme, options => { });
+            services.Configure<MergedOptions>(options => { });
             services.AddTokenAcquisition();
             services.AddLogging();
+            services.AddAuthentication();
             _provider = services.BuildServiceProvider();
         }
 
@@ -93,6 +95,25 @@ public void VerifyCorrectAuthorityUsedInTokenAcquisitionTests(string tenant)
             }
         }
 
+        [Theory]
+        [InlineData(JwtBearerDefaults.AuthenticationScheme)]
+        [InlineData(OpenIdConnectDefaults.AuthenticationScheme)]
+        [InlineData(null)]
+        public void VerifyCorrectSchemeTests(string scheme)
+        {
+            BuildTheRequiredServices();
+            InitializeTokenAcquisitionObjects();
+
+            if (!string.IsNullOrEmpty(scheme))
+            {
+                Assert.Equal(scheme, _tokenAcquisition.GetEffectiveAuthenticationScheme(scheme));
+            }
+            else
+            {
+                Assert.Equal(OpenIdConnectDefaults.AuthenticationScheme, _tokenAcquisition.GetEffectiveAuthenticationScheme(scheme));
+            }
+        }
+
         [Theory]
         [InlineData(TestConstants.B2CInstance)]
         [InlineData(TestConstants.B2CLoginMicrosoft)]