Provide a way to prevent AuthenticationSchemeProvider from picking a specific scheme handler #1287
Comments
|
A possible (and good) approach would consist in adding new "capabilities" properties to E.g: public class AuthenticationScheme(Builder)
{
public bool UseAsDefaultAuthenticateScheme { get; set; }
public bool UseAsDefaultChallengeScheme { get; set; }
public bool UseAsDefaultForbiddenScheme { get; set; }
public bool UseAsDefaultSignInScheme { get; set; }
public bool UseAsDefaultSignOutScheme { get; set; }
}Using this approach, we could even reunify |
|
You should be able to just plug in your own IAuthenticationSchemeProvider implementation that always returns null for DefaultAuthenticateScheme, that's the mechanism to control the defaults |
|
No. I don't want to force my users to use my own |
|
Can you describe exactly what your ASOS is doing (why does Authenticate throw?) |
Well, it's not just for The Basically, ASOS is a specialized handler that shouldn't be used as an active/automatic handler. In both ASOS for OWIN and ASP.NET Core 1.0, we have checks to prevent that ( I'll add something similar in 2.0, but I also need a way to tell |
|
I'm fine with a new global option that is |
|
It would work. But the downside is that users would have to manually set this flag to Any particular reason you don't like this approach? |
|
Its not up to the handler writer to disable this or not, these are mostly meant to configure the parameterless overloads. Its up to the app to decide what's the default handler. The only situation where the default is required, is with the AuthenticationMiddleware, so maybe that needs a new explicit option as well which fallsback to DefaultAuthenticateScheme, something like our old favorite word |
That's not what the flags would do with my approach. Maybe I wasn't clear enough, but the flags would only tell the scheme provider whether the handler CAN be used as a default scheme, so that handlers that declare they can't be used as default schemes wouldn't be automatically picked by the scheme provider (e.g the JWT middleware can't be used for sign-in/sign-out). The most accurate name for these flags should be something like |
|
The IAuthenticationSchemeProvider is responsible for resolving the defaults, if this becomes a very common ask, we can consider adding support for it in the default implementation, but it doesn't seem worth spreading this concept into the schemes themselves. Your users wouldn't have to set this flag, you would do it for them via AddASOS() or the equivalent, you are always adding your handler so there's no situation where it would be useful for them anyways right? |
I'm never super comfortable with changing global settings in my own libs, but if that's the only option... 😅 One advantage with the other option is that the selection logic would be a bit smarter if one registered ASOS + another middleware (like the JWT bearer middleware). In this case, |
|
For those interested, this work item is no longer necessary as the fallback logic was removed in aspnet/HttpAbstractions#891. |
When there's only one authentication handler registered,
AuthenticationSchemeProvideruses it as the default scheme handler for basically everything (authentication, challenge, forbidden, sign-in and sign-out).Sadly, this logic makes no sense for handlers like ASOS, that throws an
InvalidOperationExceptionif you try to call one of theIAuthenticationServicemethods outside an OpenID Connect request (for obvious security reasons).Yet,
AuthenticationMiddlewareusesGetDefaultAuthenticateSchemeAsync()and automatically calls[ASOS].AuthenticateAsync()for each request, which is detected as an invalid operation and causes an exception when ASOS is the only handler registered in the DI container.Please consider adding a flag to disable this extremely annoying behavior, either at the global level, or per-handler.
/cc @HaoK
The text was updated successfully, but these errors were encountered: