Skip to content
This repository was archived by the owner on Dec 13, 2018. It is now read-only.

Split SignIn/SignOut into IAuthenticationStore interface #1244

Closed
HaoK opened this issue May 31, 2017 · 9 comments
Closed

Split SignIn/SignOut into IAuthenticationStore interface #1244

HaoK opened this issue May 31, 2017 · 9 comments
Labels
3 - Done
Milestone
2.0.0

Comments

@HaoK
Copy link
Member

HaoK commented May 31, 2017
edited
Loading

After playing around with templates a bit, the configuration of the shread default schemes still is a bit complicated.

There are basically 3 kinds of auth handlers today

Store ones (Cookies/Bearer) that handle challenge/authenticate/forbid/sign in/sign out

Remote ones (OIDC/OAuth/Twitter) basically only support challenge/forbid, with authenticate forwarding to a store

Hosts support challenge/authenticate/forbid

So if we split things into

interface IAuthenticationHandler {
   Authenticate
   Challenge
   Forbid
}

interface IAuthenticationStore : IAuthenticationSignInHandler {
  SignIn
}

interface IAuthenticationStore : IAuthenticationSignOutHandler {
  SignOut
}

interface IAuthenticationRequestHandler : IAuthenticationHandler {
   HandleRequest
}

I think this factoring would let us improve the default Authenticate/SignInSchemes to only look for stores, which means for apps that are only using a single Cookie/Bearer scheme, it no longer would need to be configured.

@Tratcher thoughts?
@brockallen
Copy link

IIRC this is what I suggested way back when the Auth2 redesign started.

@Tratcher
Copy link
Member

Bearer doesn't go with cookies, it goes into your Hosts category that should just be called HTTP Auth.

OIDC also implements SignOut to trigger a remote signout.

@HaoK
Copy link
Member Author

HaoK commented May 31, 2017

@brockallen yeah it was something we considered early on but didn't find any compelling reason to do the split, assuming we get another feature milestone, this is something I'll prototype to see if it simplifies anything.

@HaoK
Copy link
Member Author

HaoK commented May 31, 2017

@Tratcher So today cookies would be our only true 'store', that's really weird that OIDC implements SignOut but not SignIn... that messes things up if it is considered a store. I guess we can just make it granular IAuthenticationSignInHandler, IAuthenticationSignOutHandler for those two optional methods.

@brockallen
Copy link

This is why they should not derive from one another. They're different semantics.

@HaoK
Copy link
Member Author

HaoK commented May 31, 2017
edited
Loading

Are there any examples of auth schemes that don't support Authenticate/Challenge/Forbid? SignIn/SignOut/HandleRequest do seem like optional semantics that most/some handlers won't support

@Tratcher
Copy link
Member

Remote providers don't really support Forbid. We fake it by passing through to the underlying cookie.

@HaoK
Copy link
Member Author

HaoK commented May 31, 2017

Fair enough, can we just drop that support for remote auth and make forbid optional as well, I don't believe we have any real scenarios where people are forbidding Google/Facebook today anyways...

@Eilon Eilon added this to the 3.0.0 milestone Jun 9, 2017
This was referenced Jun 16, 2017
Closed
Closed
@HaoK
Copy link
Member Author

HaoK commented Jul 27, 2017

This was done in 2.0 via aspnet/HttpAbstractions#873

@HaoK HaoK closed this as completed Jul 27, 2017
@HaoK HaoK modified the milestones: 2.0.0, 3.0.0 Jul 27, 2017
@HaoK HaoK added the 3 - Done label Jul 27, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
3 - Done
Projects
None yet
Milestone
2.0.0
Development

No branches or pull requests
4 participants
@Eilon @brockallen @Tratcher @HaoK