Authentication 2.0 Iteration 3 (with Names/OptionFactory)

[HaoK]

• New IOptionsFactory which provides named options in addition to validation, both of which are triggered via IOptionsFactory.Get("name"). Allows normal options configuration for schemes, Validation is just a different set of Actions that run after the Configures

IOptionsFactory Usage:

  services.ConfigureAll<GoogleOptions>(o => o.SignInScheme = "GoogleCookie");
  services.Configure<GoogleOptions>("Google", o => ClientId = "avsdlkj");
  services.Configure<GoogleOptions>("Google2" p => ClientId = "two");
  services.ValidateAll<GoogleOptions>(o => if (o.ClientId == null) throw new ArgumentException());

  optionsFactory.Get<GoogleOptions>("Google"); // OK
  optionsFactory.Get<GoogleOptions>("Default"); // throws ArgumentException

• split HandleRequest into its own IAuthenticationRequestHandler interface instead, CallbackPaths routing is disabled for now (all IAuthenticationRequestHandler schemes are given a chance to handle the request)

TL:DR Auth 2.0 summary

• New IAuthenticationService with the same Authenticate/Challenge/SignIn/Out/ForbidAsync API.
• Made up of AuthenticationScheme instances which have: Name, Type, and Settings dictionary (Options instance + old description bag)
• app.UseXyzAuth(new XyzOptions()) => services.AddXyzAuth(o => o.Foo = bar) adds an AuthenticationScheme instance for Xyz
• Single UseAuthentication is required, which takes care of the old 'automatic' authenticate, in addition to giving each scheme a chance to handle the request like the old middlewares did.
• Auth provider extensibility model is mostly unchanged, just tweaked (no more middleware, handler base class is cleaned up and activated from DI (see DbContext example below)
• 'Automatic' authenticate and challenge are now a single Default[Authenticate/SignIn]Scheme in AuthenticationOptions, rather than a flag on each middleware. No ambiguity, altho there's one bit of magic where if none are specified and there's only a single scheme registered, we use that scheme as the default.

Pros of the new design

• AuthN is now a service and 'feels' like AuthZ.
• Auth handlers can now consume services from DI easily (e.g. see DbContext example).
• ClaimsTransformation simplified (sane now, rather than wrapped AuthHandler + xform middleware fun), example below.
• Dynamic schemes supported via replacing the IAuthenticationSchemeProvider service.
• Eliminated a lot of design/complexity issues that we have consistently run into when trying to fix bugs (no more handler chaining, automatic gone)

Example of using scoped DbContext

This was not really easily accomplished in the old stack since handlers were created by the middleware via protected abstract AuthenticationHandler<TOptions> CreateHandler();

   // ConfigureServices:
   services.AddSchemeHandler<CookieAuthenticationOptions, MyCookieAuthenticationHandler>("Cookie1", o => { o.CookieName = "Cookie1" });
   services.AddSchemeHandler<CookieAuthenticationOptions, MyCookieAuthenticationHandler>("Cookie2", o => { o.CookieName = "Cookie2" });

public class MyCookieAuthenticationHandler : CookieAuthenticationSchemeHandler {
    public MyCookieAuthenticationHandler(DbContext context, ILoggerFactory logger, UrlEncoder encoder) : base(logger, encoder) {
       _dbContext = context;
    }
    
        protected async override Task<CookieAuthenticationOptions> CreateOptionsAsync()
        {
            var options = await base.CreateOptionsAsync();
            UseYourDbContextOnThese(options);
        }
}

Claims Transformation

A lot simpler, new IClaimsTransformation service which has a single method:
Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)

We call this on any successful AuthenticateAsync call.

   services.AddAuthentication(o => o.ClaimsTransform = p => {
     p.AddIdentity(new ClaimsIdentity());
     return Task.FromResult(p);
  }

To use a more advanced scoped claims transform that uses DbContext's, they would just need to add their own IClaimsTransformation before any AddAuthentication calls.

[dnfclas]

@HaoK,
Thanks for having already signed the Contribution License Agreement. Your agreement was validated by .NET Foundation. We will now review your pull request.
Thanks,
.NET Foundation Pull Request Bot

[HaoK]

@brockallen @PinpointTownes we've decided today that we are going ahead with this change, the implementation details are still subject to change, but the high level switch from middleware to services/DI/NamedOptions is a go. Definitely let us know if any of your important scenarios are affected, or if you have any ideas for quality of life improvements in the base auth handler classes, since the entire auth code base is opened up for surgery right now...

[HaoK]

Note to self: need to investigate adding schemes and configuring them outside of ConfigureServices. We can probably cheat and use the AuthenticationScheme.Settings bag to stuff options instances for this scenario

[kevinchalet]

@brockallen @PinpointTownes we've decided today that we are going ahead with this change, the implementation details are still subject to change, but the high level switch from middleware to services/DI/NamedOptions is a go.

Thanks for the info, I'll take a look ASAP. When do you plan to merge this PR?

[HaoK]

No firm ETA on merge, need to start working on the changes in all the other repos (Identity/servers), which likely will require some more changes here. But we can start settling on implementation choices now. Also the options changes will go in first, so I'd start there if you are interested on how that lands: aspnet/Options#176

[kevinchalet]

@HaoK correct me if I'm wrong, but Options is a shared instance, right? (at least, when using the default options factory). So this means that the options could be modified concurrently, as InitializeAsync is invoked per request. Isn't that risky as hell?

[HaoK]

Yeah so that's why I'm trying to move all the Options manipulations into 'validations' that occur as part of OptionsFactory.Get("schemeName")

[HaoK]

We can also switch to using the form of 'scoped' options for the schemes, IOptionsSnapshot for example which wouldn't be shared.

[kevinchalet]

Makes sense. Thanks for the clarification.

[HaoK]

Now that I think about it, that's probably the easiest fix to this issue since the scheme options don't want to share

[kevinchalet]

How bad would it be if AuthenticationHandler had a TEvents generic argument?

[HaoK]

🤢

[HaoK]

But yeah the events stuff needs some love, I guess every handler does have an events class today.

[HaoK]

The events is a bit weird to live on options, maybe we can move it into the AuthenticationScheme instead, as something that gets fed into Intialize(IOptionsFactory<TOptions>, TEvent events, HttpContext)

[HaoK]

I've always felt configuring the events as part of the options makes it look ginormous. Can we do better if we tease it apart/have a new pattern for hooking events that's not tied to options configuration?

[HaoK]

Are you sure every event isn't overridable? Isn't that the only purpose for the IXyzEvents to exist? basically its the list of virtual methods that would exist if you could plug in your own handler.

[kevinchalet]

Are you sure every event isn't overridable?

The events are all overridable, but not the infrastructure code that call them: the OAuthHandler.CreateTicketAsync method you used in your sample is quite an exception, as it's the only handler that was really designed to be subclassed.

[HaoK]

So moving to a virtual method would allow us to nuke all of the context classes, and just pass them as parameters (or let them access handler directly since its now in the handler, which they couldn't even do before).

[kevinchalet]

I personally like the fact the public hooks are separated from the rest of the infrastructure code, so I'd really love this events pattern to be present in 2.0.0, but heh, your PR, your choice 😄

(also, I'm not a huge fan of having to override a class to just to do something that can be done in a 2-line event delegate)

[HaoK]

Fair enough, @Tratcher had the same opinion, there's so many other things on my list right now, so its most likely not going to change soon

[Tratcher]

Still a weird property bag

[HaoK]

Yeah this can go away now, since we can add/remove options dynamically I don't think this is needed at all. Fleshing out the add/remove auth scheme using custom options in the next update

[Tratcher]

syntax

[Tratcher]

Ordinal

[Tratcher]

syntax

[Tratcher]

Split file

[Tratcher]

Where did the implementation go?

[HaoK]

I nuked the old Authentication package and moved Impl into there

[Tratcher]

It's not in this PR anywhere.

[HaoK]

Updated with some cleanup, nuked settings bag on AuthenticationScheme, RIP ?? throw

[HaoK]

So in terms of final homes:

Authentication.Abstractions => Http Repo (keeps its own package)
Should we split Authentication into Authentication.Core (lives in Http), and Authentication(.Security)? Basically the core interfaces/implementations for AddAuthentication live in Core, and the base class stuff we use for the Security auth packages would stay in this repo...

So...
Authentication.Abstractions (HttpAbstractions)
Authentication.Core (HttpAbstractions)
Authentication (Security)

[Tratcher]

Which repos need to depend on Authentication.Core?

[Tratcher]

Can we just have Security depend on Diagnostics so we can stop doing this stuff? I don't think it creates any cycles, it just bumps security up the chart one level.

[HaoK]

Seems fine to me, I'll add it

[Tratcher]

Move this check to ConfigureServices

[Tratcher]

It's not in this PR anywhere.

[Tratcher]

Bring these back as Obsolete Error with a fwlink.

[Tratcher]

syntax

[Tratcher]

This comment is now referencing itself?

[HaoK]

@Tratcher they are here, but perhaps hard to find in the 178 file diff... maybe easier to just view via commits

[HaoK]

@Tratcher See AuthenticationHandler here

[HaoK]

@Tratcher I'll break this PR up into 2 new PRs to make things more managable, I'll start the PR for Abstractions/Core in HttpAbstractions and open a new one for only the Security changes

[HaoK]

Updated removing the stuff that is being moved to HttpAbstractions via: aspnet/HttpAbstractions#798

Hopefully easier to review

[kevinchalet]

@HaoK hum, is there a particular reason to move so many types to HttpAbstractions? Of course, IAuthenticationHandler and the types used to register the handler in the DI need to live there for layering reasons, but is it really useful to move things like AuthenticationMiddleware there?

[Tratcher]

@PinpointTownes I think they're needed to write tests for HttpSysServer and IISIntegration

[kevinchalet]

AuthenticationMiddleware's role is extremely limited: it simply adds a special feature to track the original paths, calls IAuthenticationSchemeProvider to get the default sign-in scheme (which is kinda the equivalent of "active authentication") and calls handler.HandleRequestAsync() for "promiscuous handlers". AFAICT, none of the HttpSysServer/IISIntegration tests couldn't live without this type. Do you have any specific example in mind?

[HaoK]

The middleware isn't critical, I can move that back along with UseAuthentication to Security. What's critical is the core services/AddAuthenticationCore as you can't even use Auth without those. I'll move the Middleware/Use out now

[HaoK]

Updated, UseXyz's are back as obsolete/throw not Supported. Also brought back the AuthMiddleware from HttpAbstractions.

[Tratcher]

Put the link in the Obsolete comment

[Tratcher]

Hmm, it's only a warning by default, you have to set IsError true
https://msdn.microsoft.com/en-us/library/system.obsoleteattribute.iserror(v=vs.110).aspx

[HaoK]

Replaced with #1170