Releases: cirreum/Cirreum.Runtime.AuthenticationProvider
Release list
Release v1.1.1
Full Changelog: v1.1.0...v1.1.1
Release v1.1.0
Cirreum.Runtime.AuthenticationProvider 1.1.0 — connection.Promote(principal)
Why this release exists
Two-Phase Auth's write surface predated the connection-ownership surface that now ships
in Cirreum.Contracts (PromotedUser / EffectiveUser / IsUserPromoted). The old
static helpers (TwoPhaseAuth.Promote(connection, principal),
GetPromotedPrincipal, IsPromoted) duplicated the read side and — more importantly —
left a correctness gap: promoting a connection did not evict the application user cached
for the pre-promotion identity, so an invocation constructed mid-promotion could pair
the promoted principal with the previous identity's domain user.
What's new
connection.Promote(authenticatedPrincipal);- Promotion is now an extension member on
IInvocationConnection— the write-side
complement of the Contracts read surface. Authenticated-principal validation is
unchanged; re-promotion still overwrites. - The eviction invariant.
Promoteremoves the connection's cached application user
before stamping the promoted principal. A concurrently-constructed invocation can
observe old-principal + old-cache, or either value briefly absent — never
new-principal + the previous identity's cached user. The lazy resolve path repopulates
the cache for the promoted identity on the next invocation. AuthenticatedSchemedeliberately survives promotion — it describes how the
connection (transport) authenticated, not the current occupant.- The
GetPromotedPrincipal/IsPromotedstatics are gone — read
connection.PromotedUser/connection.IsUserPromotedfromCirreum.Contracts
instead. No shims: the old surface had no external consumers.
Compatibility
Source-breaking for the (unconsumed) static forms; behavior-additive otherwise. First
test coverage for the promotion surface ships with this release (8 tests, including an
operation-order test locking the evict-before-stamp invariant).
See also
Cirreum.Contracts1.4.x — the connection-ownership read surfaceCirreum.Services.Server1.3.0 — per-invocation contexts snapshotEffectiveUser;
the connection registry and termination handler honor promotion
Release v1.0.2
Release v1.0.1
Release v1.0.0
Cirreum.Runtime.AuthenticationProvider 1.0.0 — The composition engine behind AddAuthentication()
Cirreum.Runtime.AuthenticationProvider is the runtime driver for Cirreum's Authentication pillar. It turns a scheme registrar into registered ASP.NET authentication services, and supplies the claims transformer that maps an authenticated principal onto a Cirreum IApplicationUser. Apps never reference it directly — it flows in transitively behind the Cirreum.Runtime.Authentication umbrella.
Strictly additive — initial release. A new package in the Cirreum 1.0 Foundation Reset; no predecessor. Targets .NET 10.0.
Why this release exists
The Authentication pillar is split into three layers: the contracts (Cirreum.AuthenticationProvider), the runtime composition (this package), and the app-facing umbrella (Cirreum.Runtime.Authentication). This package is the middle layer — the typed bootstrap that the umbrella calls once per framework-shipped scheme to bind configuration and register handlers, plus the post-authentication machinery (the claims transformer and connection-promotion helper) that every scheme shares. Keeping it separate from the umbrella lets the composition logic evolve and version alongside the contracts, independent of the one-call app surface above it.
What's new
RegisterAuthenticationProvider<TRegistrar, TSettings, TInstanceSettings>()
builder.RegisterAuthenticationProvider<
OidcAuthenticationRegistrar,
OidcAuthenticationSettings,
OidcAuthenticationInstanceSettings>(authBuilder);The single bootstrap entry point (invoked by the umbrella, not app code). It dedups via a marker type (repeat calls for the same registrar are no-ops), binds Cirreum:Authentication:Providers:{ProviderName} to the typed settings, skips with a debug log when the section is absent — so only configured providers activate — and runs the registrar against the ASP.NET AuthenticationBuilder, registering one scheme per configured instance.
AudienceProviderRoleClaimsTransformer + AddAudienceRoleClaimsTransformation()
The framework-shipped IClaimsTransformation that runs after ASP.NET authentication completes: it reads the resolved scheme for the request and dispatches to the per-scheme IApplicationUserResolver the app registered, producing the Cirreum IApplicationUser and its role claims. One registration covers every scheme.
TwoPhaseAuth
Connection-state promotion for long-lived connections (SignalR / WebSocket): a connection that established with an anonymous sentinel principal can be promoted to a fully authenticated principal mid-connection — after an in-band handshake — without tearing down and re-establishing.
Diagnostics
AuthenticationProviderDiagnostics exposes the Authentication runtime's ActivitySource and Meter for tracing and metrics.
Why this lives in Cirreum.Runtime.AuthenticationProvider
This is runtime composition — neither a contract (those are in Cirreum.AuthenticationProvider) nor the app-facing entry point (that's the umbrella). Isolating the bootstrap, the claims transformer, and connection promotion here means the umbrella stays a thin one-call surface while the composition engine versions with the contracts it drives.
Coordinated downstream work
Cirreum.Runtime.Authentication (the umbrella) calls RegisterAuthenticationProvider<…> once per framework-shipped scheme and wires AddAudienceRoleClaimsTransformation(); this package flows into apps transitively through it. Publishes after Cirreum.AuthenticationProvider.
Compatibility
- Additive. Initial release.
- .NET 10.0.
- References
Cirreum.AuthenticationProvider(the track contracts and registrar base) and the ASP.NET shared framework.Cirreum.Kernel/Cirreum.Common/Cirreum.Providersflow in transitively.
See also
CHANGELOG.md— condensed change list for1.0.0.