Redesign automatic authentication choice mechanism

[blowdart]

The current mechanism for choosing which authentication middleware runs by default has been fragile and caused pain when more than one middleware has been set to automatically run, leading to what is, at best, undefined behaviour. The undefined behaviour changed in 1.1, but some folks were relying on it.

The basic idea behind automatic challenging middleware was that only one middleware should be configured to automatically challenge, however historically this was configured by a property on the individual middleware, and, as middlewares cannot inspect each other, it was too easy to set multiple middlewares to automatically challenge.

The new behaviour should take the decision of what middleware to use to issue a challenge when no middleware is specifically selected out of the hands of the middleware, and into the realm of authorization policy. It's envisaged that the default policy would contain information on the elected middleware to use to issue a challenge, and syntactic sugar added so you can set it as a property on authorization, rather than having to write a complete policy.

This leaves an open question of what happens when Challenge is called manually, without specifying which middleware to use - do we use the one from the default policy, or remove automatic challenge at that point and force a developer to specify the middleware to be used?

[blowdart]

Tagging interested parties: @PinpointTownes @leastprivilege @brockallen
MSFT: @davidfowl @DamianEdwards @HaoK @Eilon @Tratcher

[leastprivilege]

https://www.youtube.com/watch?v=GvtGVoS0ObQ

[brockallen]

After a bit of experience and reflection on how all of the authentication middleware works today, my sense is that the design of the authentication middleware pipeline that was done for katana is not generally appropriate here in ASP.NET Core. IOW, the whole linked list wireup per-request seems unnecessary given that we have DI and that we could inject the main logic (the handlers). There would still be the need for middleware to trigger the handler, but that's about it. API calls like Authenticate/Challenge/Signin/Signout could simply be to a service that was obtained via DI (and not via the handler chain wired up during the request).

Perhaps then more specialized interfaces (ICookeAuthentication, IExternalAuthentication, etc?) would be necessary for this. The design of a one-size-fits all authentication manager API seems like an ill suited abstraction. Of course the DI system is not a panacea and has its own issues with ambiguity when registering multiple instances of the same type.

Not sure how earth shattering this suggestion would be in practice, but again the linked list wireup seems brittle and the source of many problems.

[davidfowl]

I wasn't involved in the original design but would be fine re-thinking it for 2.0 now that we have a DI enabled system. The decorator pattern we use in the authentication manager wouldn't work in DI either so we'd need an alternate pattern for chaining auth handlers.

Perhaps then more specialized interfaces (ICookeAuthentication, IExternalAuthentication, etc?) would be necessary for this. The design of a one-size-fits all authentication manager API seems like an ill suited abstraction. Of course the DI system is not a panacea and has its own issues with ambiguity when registering multiple instances of the same type.

Not sure, we'd need to look at both the consumers and implementors of the interface to see who would need to implement it and how it would get triggered. I'd like to keep the Challenge/Forbid calling pattern as I think it makes sense.

Just some initial thoughts...

[brockallen]

The reason I suggest explicit interfaces for certain types of functionality is because sometimes the generic gestures (Challenge for example) don't really work. Should it mean show the access denied page, or should it mean go login to google. Having the framework guess hasn't worked in some cases, so an explicit API might just be easier.

[davidfowl]

Disclaimer: I'm a bit behind here as I wasn't involved here so bare with me as I get up to speed.

@brockallen Easier for who? What are the actors in the system that would have to know about each interface?

Should it mean show the access denied page, or should it mean go login to google. Having the framework guess hasn't worked in some cases, so an explicit API might just be easier.

I don't think the framework was guessing anything. Challenge targeted a specific middleware or thing that looked like middleware. The biggest complication besides the auth handler being a property on the http context (that's kinda weird), is the active/passive behavior. That was all to keep [Authorize] working the way it used to work in ASP.NET 4.x, like magic 😄 for cookie auth.

I might make sense to spell out all of the interfaces we have now and all the frameworks and touch points to make sure we understand where the pains are.

[Tratcher]

DI is a non-starter when common apps have 2+ instances of cookie auth. Many of the other auth middleware can be duplicated too. I don't see how coming up with a custom interface per scenario helps when you have to somehow associate those with specific middleware instances.

[davidfowl]

Don't dismiss DI it just yet. There might be more DI friendly ways of composing the system. Let's just draw out the components and interactions we currently have.

[HaoK]

Yeah I think we can maybe end up with something more similar to authZ. Which has a similar problem of configuring multiple named policies. The only real difference between Authentication is that the handlers aren't global and are per scheme. But I think something maybe? ConfigureAuthentication(options => { options.AddCookies("cookie1", o => o.Handler.OnRedirect = someMethod)( options.AddCookies("cookie2"); options.AddGoogle("Google", o => o.ClientId = "secret"): }; Where basically you configure the handler instance in a new single AuthenticationOptions which would contain a named instance for each scheme which would have its own configuration and handlers (similar to authZ policy configuration today) And then we could have a single UseAuthentication middleware in the app that builds the authentication infrastructure using the fully configured options instead of relying on middleware wire up. This would let us validate everything as well much easier than what we have today.

…

On Dec 8, 2016, at 10:42 AM, David Fowler ***@***.***> wrote: Don't dismiss DI it just yet. There might be more DI friendly ways of composing the system. Let's just draw out the components and interactions we currently have. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.