Skip to content

Releases: cirreum/Cirreum.Runtime.AuthenticationProvider

Release v1.1.1

Choose a tag to compare

@hyspdrt hyspdrt released this 08 Jul 14:32

Full Changelog: v1.1.0...v1.1.1

Release v1.1.0

Choose a tag to compare

@hyspdrt hyspdrt released this 07 Jul 06:27

Cirreum.Runtime.AuthenticationProvider 1.1.0 — connection.Promote(principal)

Why this release exists

Two-Phase Auth's write surface predated the connection-ownership surface that now ships
in Cirreum.Contracts (PromotedUser / EffectiveUser / IsUserPromoted). The old
static helpers (TwoPhaseAuth.Promote(connection, principal),
GetPromotedPrincipal, IsPromoted) duplicated the read side and — more importantly —
left a correctness gap: promoting a connection did not evict the application user cached
for the pre-promotion identity, so an invocation constructed mid-promotion could pair
the promoted principal with the previous identity's domain user.

What's new

connection.Promote(authenticatedPrincipal);
  • Promotion is now an extension member on IInvocationConnection — the write-side
    complement of the Contracts read surface. Authenticated-principal validation is
    unchanged; re-promotion still overwrites.
  • The eviction invariant. Promote removes the connection's cached application user
    before stamping the promoted principal. A concurrently-constructed invocation can
    observe old-principal + old-cache, or either value briefly absent — never
    new-principal + the previous identity's cached user. The lazy resolve path repopulates
    the cache for the promoted identity on the next invocation.
  • AuthenticatedScheme deliberately survives promotion — it describes how the
    connection (transport) authenticated, not the current occupant.
  • The GetPromotedPrincipal / IsPromoted statics are gone — read
    connection.PromotedUser / connection.IsUserPromoted from Cirreum.Contracts
    instead. No shims: the old surface had no external consumers.

Compatibility

Source-breaking for the (unconsumed) static forms; behavior-additive otherwise. First
test coverage for the promotion surface ships with this release (8 tests, including an
operation-order test locking the evict-before-stamp invariant).

See also

  • Cirreum.Contracts 1.4.x — the connection-ownership read surface
  • Cirreum.Services.Server 1.3.0 — per-invocation contexts snapshot EffectiveUser;
    the connection registry and termination handler honor promotion

Release v1.0.2

Choose a tag to compare

@hyspdrt hyspdrt released this 04 Jul 22:57

Full Changelog: v1.0.1...v1.0.2

Release v1.0.1

Choose a tag to compare

@hyspdrt hyspdrt released this 04 Jul 20:58

Full Changelog: v1.0.0...v1.0.1

Release v1.0.0

Choose a tag to compare

@hyspdrt hyspdrt released this 03 Jul 23:09

Cirreum.Runtime.AuthenticationProvider 1.0.0 — The composition engine behind AddAuthentication()

Cirreum.Runtime.AuthenticationProvider is the runtime driver for Cirreum's Authentication pillar. It turns a scheme registrar into registered ASP.NET authentication services, and supplies the claims transformer that maps an authenticated principal onto a Cirreum IApplicationUser. Apps never reference it directly — it flows in transitively behind the Cirreum.Runtime.Authentication umbrella.

Strictly additive — initial release. A new package in the Cirreum 1.0 Foundation Reset; no predecessor. Targets .NET 10.0.


Why this release exists

The Authentication pillar is split into three layers: the contracts (Cirreum.AuthenticationProvider), the runtime composition (this package), and the app-facing umbrella (Cirreum.Runtime.Authentication). This package is the middle layer — the typed bootstrap that the umbrella calls once per framework-shipped scheme to bind configuration and register handlers, plus the post-authentication machinery (the claims transformer and connection-promotion helper) that every scheme shares. Keeping it separate from the umbrella lets the composition logic evolve and version alongside the contracts, independent of the one-call app surface above it.


What's new

RegisterAuthenticationProvider<TRegistrar, TSettings, TInstanceSettings>()

builder.RegisterAuthenticationProvider<
    OidcAuthenticationRegistrar,
    OidcAuthenticationSettings,
    OidcAuthenticationInstanceSettings>(authBuilder);

The single bootstrap entry point (invoked by the umbrella, not app code). It dedups via a marker type (repeat calls for the same registrar are no-ops), binds Cirreum:Authentication:Providers:{ProviderName} to the typed settings, skips with a debug log when the section is absent — so only configured providers activate — and runs the registrar against the ASP.NET AuthenticationBuilder, registering one scheme per configured instance.

AudienceProviderRoleClaimsTransformer + AddAudienceRoleClaimsTransformation()

The framework-shipped IClaimsTransformation that runs after ASP.NET authentication completes: it reads the resolved scheme for the request and dispatches to the per-scheme IApplicationUserResolver the app registered, producing the Cirreum IApplicationUser and its role claims. One registration covers every scheme.

TwoPhaseAuth

Connection-state promotion for long-lived connections (SignalR / WebSocket): a connection that established with an anonymous sentinel principal can be promoted to a fully authenticated principal mid-connection — after an in-band handshake — without tearing down and re-establishing.

Diagnostics

AuthenticationProviderDiagnostics exposes the Authentication runtime's ActivitySource and Meter for tracing and metrics.


Why this lives in Cirreum.Runtime.AuthenticationProvider

This is runtime composition — neither a contract (those are in Cirreum.AuthenticationProvider) nor the app-facing entry point (that's the umbrella). Isolating the bootstrap, the claims transformer, and connection promotion here means the umbrella stays a thin one-call surface while the composition engine versions with the contracts it drives.


Coordinated downstream work

Cirreum.Runtime.Authentication (the umbrella) calls RegisterAuthenticationProvider<…> once per framework-shipped scheme and wires AddAudienceRoleClaimsTransformation(); this package flows into apps transitively through it. Publishes after Cirreum.AuthenticationProvider.


Compatibility

  • Additive. Initial release.
  • .NET 10.0.
  • References Cirreum.AuthenticationProvider (the track contracts and registrar base) and the ASP.NET shared framework. Cirreum.Kernel / Cirreum.Common / Cirreum.Providers flow in transitively.

See also

  • CHANGELOG.md — condensed change list for 1.0.0.