dotnet · premun · Jan 31, 2025 · Jan 30, 2025
diff --git a/...ProductConstructionService/ProductConstructionService.Api/Configuration/ApiRedirection.cs b/...ProductConstructionService/ProductConstructionService.Api/Configuration/ApiRedirection.cs
@@ -190,7 +190,7 @@ public static async Task<bool> IsAuthenticated(this HttpContext context)
         }
 
         var authService = context.RequestServices.GetRequiredService<IAuthorizationService>();
-        AuthorizationResult result = await authService.AuthorizeAsync(success.Ticket!.Principal, AuthenticationConfiguration.MsftAuthorizationPolicyName);
+        AuthorizationResult result = await authService.AuthorizeAsync(success.Ticket!.Principal, AuthenticationConfiguration.WebAuthorizationPolicyName);
         if (!result.Succeeded)
         {
             context.Response.StatusCode = (int)HttpStatusCode.Forbidden;

diff --git a/...uctionService/ProductConstructionService.Api/Configuration/AuthenticationConfiguration.cs b/...uctionService/ProductConstructionService.Api/Configuration/AuthenticationConfiguration.cs
@@ -9,15 +9,16 @@ namespace ProductConstructionService.Api.Configuration;
 
 internal static class AuthenticationConfiguration
 {
-    public const string EntraAuthorizationPolicyName = "Entra";
-    public const string MsftAuthorizationPolicyName = "msft";
+    public const string EntraAuthorizationSchemeName = "Entra";
+    public const string ApiAuthorizationPolicyName = "MsftApi";
+    public const string WebAuthorizationPolicyName = "MsftWeb";
     public const string AdminAuthorizationPolicyName = "RequireAdminAccess";
 
     public const string AccountSignInRoute = "/Account/SignIn";
 
     public static readonly string[] AuthenticationSchemes =
     [
-        EntraAuthorizationPolicyName,
+        EntraAuthorizationSchemeName,
         OpenIdConnectDefaults.AuthenticationScheme,
     ];
 
@@ -54,7 +55,7 @@ public static void ConfigureAuthServices(this IServiceCollection services, IConf
         var openIdAuth = services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme);
 
         openIdAuth
-            .AddMicrosoftIdentityWebApi(entraAuthConfig, EntraAuthorizationPolicyName);
+            .AddMicrosoftIdentityWebApi(entraAuthConfig, EntraAuthorizationSchemeName);
 
         openIdAuth
             .AddMicrosoftIdentityWebApp(options =>
@@ -88,12 +89,21 @@ public static void ConfigureAuthServices(this IServiceCollection services, IConf
 
         services
             .AddAuthorizationBuilder()
-            .AddPolicy(MsftAuthorizationPolicyName, policy =>
+            .AddDefaultPolicy(WebAuthorizationPolicyName, policy =>
                 {
                     policy.AddAuthenticationSchemes(AuthenticationSchemes);
                     policy.RequireAuthenticatedUser();
                     policy.RequireRole(userRole);
                 })
+            .AddPolicy(ApiAuthorizationPolicyName, policy =>
+                {
+                    // Cookie scheme for BarViz, Entra JWT for Darc and other clients
+                    // The order matters here as the last scheme's Forbid() handler is used for processing authentication failures
+                    // Since cookie scheme returns 200 with the auth exception in the body, Entra should be used instead as it 401s
+                    policy.AddAuthenticationSchemes([CookieAuthenticationDefaults.AuthenticationScheme, EntraAuthorizationSchemeName]);
+                    policy.RequireAuthenticatedUser();
+                    policy.RequireRole(userRole);
+                })
             .AddPolicy(AdminAuthorizationPolicyName, policy =>
                 {
                     policy.AddAuthenticationSchemes(AuthenticationSchemes);

diff --git a/src/ProductConstructionService/ProductConstructionService.Api/PcsStartup.cs b/src/ProductConstructionService/ProductConstructionService.Api/PcsStartup.cs
@@ -248,7 +248,7 @@ internal static async Task ConfigurePcs(
         builder.Services.AddRazorPages(
             options =>
             {
-                options.Conventions.AuthorizeFolder("/", AuthenticationConfiguration.MsftAuthorizationPolicyName);
+                options.Conventions.AuthorizeFolder("/", AuthenticationConfiguration.WebAuthorizationPolicyName);
                 options.Conventions.AllowAnonymousToPage("/Error");
             })
             .AddGitHubWebHooks()
@@ -297,6 +297,8 @@ public static void ConfigureApi(this IApplicationBuilder app, bool isDevelopment
         app.UseEndpoints(e =>
         {
             var controllers = e.MapControllers();
+            controllers.RequireAuthorization(AuthenticationConfiguration.ApiAuthorizationPolicyName);
+
             if (isDevelopment)
             {
                 controllers.AllowAnonymous();