-
Notifications
You must be signed in to change notification settings - Fork 600
Breaking changes in Authentication / Authorization #248
Comments
Not really any notes, I'll take a look and reply to your post in this issue. Do you want to edit this issue and include the context from your asp.net forum post? |
@HaoK can you write up something so we can put it on Announcements? |
@davidfowl How much do you want written? We're overhauled everything. A quick announcement won't do anyone any good, as announcements are a couple of lines. It's going to need proper documentation to expose all the changes we made, especially the authz overhaul. Whilst that's slowly coming along in the shape of a powerpoint, its going to take a good number of days to turn it into proper usable documentation (either Word, or readthedocs) and samples, and getting to that point is weeks away. |
Thanks @HaoK, I just updated my post to include my current status on this subject. On the documentation area let me know if I can be of any help. |
@blowdart Anything would suffice at this point. Even if it's to say that there were a ton of breaking changes. That's the entire purpose of that repository. |
Saying a ton is hardly helpful. "We changed authz to use Policy" doesn't say much at all. It's not breaking in that case anyway, it's new. |
@sandorfr I'm assuming you have something like [Authorize(Policy = "JWT")] or something like that? Can you include your entire startup.cs (or at least the Configure that's includes your middlewares?) |
For your first issue about the policy names / AuthScheme being correlated, that's because of how you setup your policy: This should work fine.
|
Yes I have that : [Authorize(JWTAuthenticationDefaults.AuthenticationType)]
public class ListController : BaseController Here my UseJWTAuthentication implementation : public static IApplicationBuilder UseJWTAuthentication(this IApplicationBuilder app, Action<JWTAuthenticationOptions> configureOptions = null, string optionsName = "") {
return app.UseMiddleware<JWTAuthenticationMiddleware>(
new ConfigureOptions<JWTAuthenticationOptions>(configureOptions ?? (o => { })) {
Name = optionsName
});
} |
Announcements done. They're not detailed, because they're announcements. Proper documentation will follow in a few weeks. aspnet/Announcements#20 |
@HaoK that's fixed for the policy naming part. Thanks. Now I just need to understand why the @blowdart I think your announcements are helpful, at least they would have helped me save time earlier this week :), so I guess that might help other developers. |
Can you include the rest of your middleware configuration? Do you have cookies or any other auth middlewares involved? |
No I don't have any other auth middleware atm (I plan to do so but this is not a priority). // Configure the HTTP request pipeline.
// Add the console logger.
loggerfactory.AddConsole();
loggerfactory.AddProvider(new AzureLoggerProvider(configuration, (LogLevel)Enum.Parse(typeof(LogLevel), configuration.Get("azure_log_level"))));
// loggerfactory.AddProvider(new CustomLoggerProvider(connectionManager));
if (configuration.ShouldMeasurePerformance) {
app.UseMiddleware<MeasureMiddleware>();
}
app.UseMiddleware<CorrelationIdMiddleware>();
app.UseMiddleware<CorsMiddleware>();
app.UseJWTAuthentication(options => {
options.MasterKey = Configuration.Get("masterKey");
}, JWTAuthenticationDefaults.AuthenticationType);
// Add the following to the request pipeline only in development environment.
if (string.Equals(env.EnvironmentName, "Development", StringComparison.OrdinalIgnoreCase)) {
//app.UseBrowserLink();
app.UseErrorPage(ErrorPageOptions.ShowAll);
app.UseDatabaseErrorPage(DatabaseErrorPageOptions.ShowAll);
} else if (string.Equals(Configuration.Get("ShowDebugTraces"), "true", StringComparison.OrdinalIgnoreCase)) {
app.UseErrorPage(ErrorPageOptions.ShowAll);
app.UseDatabaseErrorPage(DatabaseErrorPageOptions.ShowAll);
} else {
// Add Error handling middleware which catches all application specific errors and
// send the request to the following path or controller action.
app.UseErrorHandler("/Home/Error");
}
// Add static files to the request pipeline.
app.UseStaticFiles();
// Add MVC to the request pipeline.
app.UseMvc(routes => {
routes.MapRoute(
name: "default",
template: "{controller}/{action}/{id?}",
defaults: new { controller = "Home", action = "Index" });
// Uncomment the following line to add a route for porting Web API 2 controllers.
// routes.MapWebApiRoute("DefaultApi", "api/{controller}/{id?}");
}); |
there is one thing I'm not sure of. should my authentication middleware use or not use |
Automatic is intended for your current scenario where there's only one primary auth middleware, try turning this on, and removing the authentication scheme from the policy. The HttpContext.User should automatically be the principal from your middleware on the request after sign in. |
Ok, thanks I'm going to do some test following that path and triple check everything again :). I'll keep you updated. |
Thanks for trying this out, definitely feel free to share any thoughts/feedback you have as most of this has changed recently and we are trying to tweak things to be more intuitive... |
Does not work either :(. I must be missing something obvious... |
Eureka ! It looks like a policy without any requirement will never authorize the request. I had to add |
Ah yes, that funky edge case... @blowdart what do you think about removing this weirdness? We could just throw whenever we register a policy with no requirements on startup... Instead of either always failing or always succeeding an empty policy...? |
My personal opinion is that the exception is the right way, the developer will see it early and fix it quickly. The always failing does not have any sense to me (and it will drive others than me completely crazy) but the always succeeding might lead to the same issue :), plus a potential security breach. |
Exception it is. This caught me too :) |
Do you have any idea why the ApplyResponseChallenge is called twice? |
I think the exception behavior was the main issue for this, please file a new issue if you are still seeing issues with ApplyResponseChallenge |
I'm going to double check but last time I checked this point I had the issue. I'll open an issue if needed. -----Message d'origine----- I think the exception behavior was the main issue for this, please file a new issue if you are still seeing issues with ApplyResponseChallenge |
I'm doing some test with MVC 6 ("Microsoft.AspNet.Mvc": "6.0.0-beta4"). |
@marcosph - this is a long closed issue. Unless you are seeing something related to the original issue (and it doesn't appear you are) you would be better served opening a new issue and actually providing some of your code to help us diagnose the problem |
How does one have multiple auth schemes? I've added the default OAuth policy (beta7) plus my own ApiKey policy but I get the Any ideas? Code:
|
(I want one method to use the ApiKey policy and the rest to use the default) |
Do you have any auth middleware configured with AuthenticationScheme ApiKey? |
I think the problem was I wasn't setting the |
There are a lot of breaking changes in that area. They look amazing but I'm really struggling with them. Is there any design notes about how it works.
Here is some details about what I'm struggling with ( http://forums.asp.net/t/2048628.aspx?Struggling+with+the+beta4+Authentication+Authorization+changes )
Here what I currently have :
I'm configuring it that way :
In ConfigureServices
In Configure
First issue : currently, it successfully steps in my custom handler
AuthenticateCoreAsync
, I return a valid ticket, butApplyResponseChallenge
is called every time.Another thing bothers me, If my policy name differs from my authenticationscheme it fails with
InvalidOperationException: The following authentication scheme was not accepted: customJWT
and I can't figure out why.And the last strange thing ApplyResponseChallenge is called twice per request.
The text was updated successfully, but these errors were encountered: