Entra External ID: Update or remove multiple auth schemes example that still showcases B2C

[guardrex]

Description

In the Use multiple authentication schemes section, there's an example that focuses on B2C that should be either removed entirely or replaced due to B2C's EOL support.

Page URL

https://learn.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme?view=aspnetcore-10.0

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/security/authorization/limitingidentitybyscheme.md

Document ID

0096c365-2f4e-5d21-89a0-c4f10fcb0ed9

Platform Id

099e63e1-c27f-9f00-8885-c551419ae35a

Article author

@wadepickett

Metadata

• ID: ee71441f-471a-89cd-0ef4-9b32b5dd85cf
• PlatformId: 099e63e1-c27f-9f00-8885-c551419ae35a
• Service: aspnet-core
• Sub-service: security

Related Issues

[wadepickett]

Notes:
The "Use multiple authentication schemes" section contains an example that showcases Azure Active Directory B2C (Azure AD B2C) as an authentication scheme. Given Microsoft's announcement that Azure AD B2C reached End-of-Sale on May 1, 2025 (no longer available to new customers) and will be supported only until May 2030, this example should be updated or replaced to guide developers toward the recommended successor product, Microsoft Entra External ID.

Files effected:
Doc:
[aspnetcore/security/authorization/limitingidentitybyscheme. md](https://github.com/dotnet/AspNetCore.Docs/blob/092abea02c224366b8edbfb553d5eb67c6942b65/aspnetcore/security/authorization/limitingidentitybyscheme. md#L68-L73)

Code sample: Lines 166-249, snipet region region snippet_ma2
aspnetcore/security/authorization/limitingidentitybyscheme/samples/AuthScheme/Program.cs

Option A - Replace with Entra External ID:

Something like this, but verify what the standard way is to point out the warning:

> [!WARNING]
> Azure AD B2C reached end-of-sale on May 1, 2025. For new implementations, use [Microsoft Entra External ID](/entra/external-id/external-identities-overview) instead.

The following example demonstrates using multiple JWT bearer schemes with `ForwardDefaultSelector` to dynamically choose an authentication scheme based on the token issuer: 

[!code-csharp[](~/security/authorization/limitingidentitybyscheme/samples/AuthScheme/Program.cs? name=snippet_ma2_updated&highlight=9-49)]

In the preceding code, <xref:Microsoft.AspNetCore.Authentication.AuthenticationSchemeOptions.ForwardDefaultSelector> is used to select a default scheme for the current request... 

Option B - Remove entirely (Quick draft, think about this more):

> [!NOTE]
> For more complex scenarios involving multiple identity providers, see [Microsoft Entra External ID](/entra/external-id/external-identities-overview) documentation.

Potential Code Sample Updates

File: Program.cs
Lines: 167-249 (snippet_ma2 region)
Change: Replace B2C-specific naming with generic or Entra External ID naming

Current code (lines 167-216):

#region snippet_ma2
using Microsoft.AspNetCore. Authentication;
using Microsoft.IdentityModel. Tokens;
using Microsoft.Net.Http.Headers;
using System.IdentityModel.Tokens.Jwt;

var builder = WebApplication.CreateBuilder(args);

// Authentication
builder.Services. AddAuthentication(options =>
{
    options.DefaultScheme = "B2C_OR_AAD";
    options.DefaultChallengeScheme = "B2C_OR_AAD";
})
.AddJwtBearer("B2C", jwtOptions =>
{
    jwtOptions.MetadataAddress = "B2C-MetadataAddress";
    jwtOptions.Authority = "B2C-Authority";
    jwtOptions.Audience = "B2C-Audience";
})
.AddJwtBearer("AAD", jwtOptions =>
{
    // ...  configuration
})
.AddPolicyScheme("B2C_OR_AAD", "B2C_OR_AAD", options =>
{
    options.ForwardDefaultSelector = context =>
    {
        // ... selector logic checking for B2C-Authority
        return (jwtHandler.CanReadToken(token) && jwtHandler.ReadJwtToken(token).Issuer.Equals("B2C-Authority"))
            ? "B2C" : "AAD";
    };
});
#endregion

Suggested direction:

#region snippet_ma2_updated
// Authentication with multiple JWT bearer schemes
builder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = "MULTI_AUTH";
    options.DefaultChallengeScheme = "MULTI_AUTH";
})
.AddJwtBearer("EntraExternalID", jwtOptions =>
{
    jwtOptions.MetadataAddress = "ExternalID-MetadataAddress";
    jwtOptions. Authority = "ExternalID-Authority";
    jwtOptions. Audience = "ExternalID-Audience";
})
.AddJwtBearer("EntraID", jwtOptions =>
{
    jwtOptions.MetadataAddress = "EntraID-MetadataAddress";
    jwtOptions.Authority = "EntraID-Authority";
    jwtOptions. Audience = "EntraID-Audience";
})
.AddPolicyScheme("MULTI_AUTH", "MULTI_AUTH", options =>
{
    options. ForwardDefaultSelector = context =>
    {
        // Dynamic scheme selection based on token issuer
        // ...
    };
});
#endregion