Make it easier to specify a default scheme #1264
Comments
|
DefaultChallengeScheme could fall back to DefaultAuthenticateScheme. DefaultSignInScheme needs to stay independent though. |
|
Let's make these all ultimately fall back to |
Sounds dangerous for at least
|
|
I remembered signin throwing by default... Looks like that doesn't happen in the base class, we should change that. Some providers do throw: https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication.JwtBearer/JwtBearerHandler.cs#L340 |
|
@Tratcher looks like it throws for RAH-based handlers: https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication/RemoteAuthenticationHandler.cs#L184 Unfortunately, it doesn't change anything to the fact that...
|
|
@PinpointTownes but do any handlers actually override SignIn except cookies? |
|
In the built-in handlers? I don't think so. That said, you never know how people implement things. Having such a trap in place would be a very nasty surprise. When you think about it, it doesn't make sense for a handler to have a sign-in scheme that points to itself. |
|
It would even be a good idea to add a check somewhere in the RAH thing to ensure |
|
Those already throw NotSupported, so I'm not as concerned. If we actually see people break it then we can add mitigations as needed. |
|
It's not just about breaking things, it's about the user experience. As a user, if do something like that: services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = FacebookDefaults.AuthenticationScheme;
options.DefaultSignInScheme = FacebookDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = FacebookDefaults.AuthenticationScheme;
});... there's nothing that tells me that my configuration is totally invalid. It's very hard for beginners to figure out what's going on if they don't register the right strings here. |
|
Except there is, Facebook throws NotImplemented when it tries to call SignIn. This class of error has always been possible, all the way back to Katana, but we haven't seen people actually do it. |
So when folks see a
That's the problem with you, guys. You're so focused on your own framework that you have no idea how people use it concretely (I don't blame you for that, it's really common). Posted yesterday on SO: https://stackoverflow.com/questions/44566998/asp-net-core-google-authentication (I took me 10 seconds to find it using the SO search engine): var googleOptions = new GoogleOptions
{
AuthenticationScheme = "Google",
ClientId = "clientid",
ClientSecret = "cs",
SignInScheme = "Google"
};
app.UseGoogleAuthentication(googleOptions); |
|
Fair, we primarily hear about issues reported directly to us, though we do browser SO. |
|
This has convinced me that we should just do #1244 now, if we split SignIn into IAuthenticationSignInHandler and SignOut into IAuthenticationSignOutHandler, most of this issue goes away as you will get a proper exception saying "Google" does not support SignIn. |
But what about SignOut? |
|
SignIn/SignOut/Forbid all throw for the remote handlers. It's just going to change from NotImplemented in the handler to InvalidOperation from the AuthService |
|
SignOut is only valid for IAuthenticationSignOutHandlers, you can't blindly call sign out on everything. |
IIRC, I thought I opened an issue in 1.x on this, and it was agreed that it's probably ok to nop instead. |
|
If you really want to blindly call it, you can always just wrap it in a try/catch ignore InvalidOperationException |
|
Yea, that's what we already do now. It's not pretty. |
|
That was in 1.x, in 2.0 we are stricter |
|
Can you explain your scenario again, why don't you know what kind of scheme it is? |
|
Basically the only 2 things which support sign out are OIDC (remote sign out) and cookies. Nothing else will work |
|
Because we've built an OIDC provider that allows arbitrary upstream IdPs and we don't know what style of IdP has been configured. I can dig out the original issue... |
And WS-Fed? |
|
Original issue: #1039 |
|
So in 2.0 you can always just drop in your own IAuthenticationService which no-ops instead of throws if the handler doesn't exist... |
|
To summarize where things look in the current PRs: DefaultAuthenticateScheme => only defaults to a single auth handler, otherwise null So its now unlikely to ever need to set more than DefaultAuthenticateScheme + DefaultChallengeScheme, as the scenario with multiple cookies usually will set DefaultAuthenticateScheme. |
|
Another noteworthy side effect is that SignInScheme is no longer required for RemoteAuthenticationHandlers (altho we basically always used DefaultSignInScheme to set that anyways today) |
If I just want to use cookies I have to specify cookies as the default scheme three times:
Can we make this less verbose? Maybe add an
AddAuthenticationoverload that takes a single default scheme parameter? Or maybe add aAuthenticationOptions.DefaultSchemeproperty? Or add more fallback behavior?The text was updated successfully, but these errors were encountered: