Skip to content

[Discussion] Single authentication scheme is treated as default scheme #42828

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
captainsafia opened this issue Jul 20, 2022 · 4 comments
Open

[Discussion] Single authentication scheme is treated as default scheme #42828

captainsafia opened this issue Jul 20, 2022 · 4 comments
Labels
announcement This issue is an announcement about important functionality change (prevents auto-closing) area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer
Milestone
Discussions

Comments

@captainsafia
Copy link
Member

captainsafia commented Jul 20, 2022
edited
Loading

Starting in .NET 7 Preview 7, we introduced new behavior in the authentication area in ASP.NET Core to reduce boilerplate and help build sensible defaults into ASP.NET Core.

Previously, users were always required to set the default authentication scheme that would be used by authentication and authorization handlers, like so:

builder.Services.AddAuthentication("MyDefaultScheme");

Moving forward, when (and only when) a single authentication scheme is registered, that scheme will be treated as the default scheme. For example, "foobar" will be treated as the default scheme in the code below.

builder.Services.AddAuthentication().AddOAuth("foobar");

This change might expose unintended behavior changes in applications, such as authentication options being validated earlier than expected.
@captainsafia captainsafia added area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer announcement This issue is an announcement about important functionality change (prevents auto-closing) labels Jul 20, 2022
@captainsafia captainsafia added this to the Discussions milestone Jul 20, 2022
@captainsafia captainsafia mentioned this issue Jul 20, 2022
Open
@WeihanLi
Copy link
Contributor

WeihanLi commented Jul 20, 2022
edited
Loading

What if we had multi auth schema but no default schema registered, would it use the first or the last as the default schema?

For example:

services.AddAuthentication()
    .AddBasic()
    .AddJwtBearer()
    .AddCookie();

@fowl2
Copy link

fowl2 commented Jul 20, 2022

I'm assuming this is part of the overall effort to reduce boilerplate?

Even if it's "obvious" I think it's worth including an explicit motivation in announcements like this, so we know 'why' we're potentially breaking someone :)

@captainsafia
Copy link
Member Author

What if we had multi auth schema but no default schema registered, would it use the first or the last as the default schema?

In this case, no default schema is set. This rule only applies when a single schema is registered.

I'm assuming this is part of the overall effort to reduce boilerplate?

Yep.

Even if it's "obvious" I think it's worth including an explicit motivation in announcements like this, so we know 'why' we're potentially breaking someone :)

Good feedback!

@NinoFloris NinoFloris mentioned this issue Jul 20, 2022
Closed
1 task
@poke
Copy link
Contributor

poke commented Jul 20, 2022

I think this is a good change which should help to reduce some of the confusion which occurs from “magic defaults”. Thanks! 😊

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
announcement This issue is an announcement about important functionality change (prevents auto-closing) area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer
Projects
None yet
Milestone
Discussions
Development

No branches or pull requests
4 participants
@poke @captainsafia @WeihanLi @fowl2