Enable authenticating with remote app #40
Conversation
...icrosoft.AspNetCore.SystemWebAdapters.Authentication/RemoteAuthenticationModule.Framework.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.AspNetCore.SystemWebAdapters.Authentication/RemoteAuthenticationResult.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.AspNetCore.SystemWebAdapters.Authentication/RemoteAuthenticationService.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.AspNetCore.SystemWebAdapters.Authentication/RemoteAuthenticationService.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.AspNetCore.SystemWebAdapters.Authentication/RemoteAuthenticationService.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.AspNetCore.SystemWebAdapters.Authentication/RemoteAuthenticationOptions.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.AspNetCore.SystemWebAdapters.Authentication/RemoteAuthenticationResultFactory.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.AspNetCore.SystemWebAdapters.Authentication/RemoteAuthenticationResultFactory.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.AspNetCore.SystemWebAdapters.Authentication/RemoteAuthenticationResultFactory.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.AspNetCore.SystemWebAdapters.Authentication/RemoteAuthenticationService.cs
Outdated
Show resolved
Hide resolved
|
Yep, for sure. I'll get some docs added today. |
|
Question: Do we want this in a separate library? The session stuff was put in a separate package because it would force new dependencies brought in by System.Text.Json. Does this bring in new dependencies? |
src/Microsoft.AspNetCore.SystemWebAdapters.Authentication/RemoteAuthenticationOptions.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.AspNetCore.SystemWebAdapters.Authentication/RedirectUrlProcessor.cs
Outdated
Show resolved
Hide resolved
| /// <returns></returns> | ||
| public Task ProcessAsync(RemoteAuthenticationResult result, HttpContext context) | ||
| { | ||
| if (result.ResponseHeaders.TryGetValue(LocationHeaderName, out var locationHeaders)) |
There was a problem hiding this comment.
Set-Cookie headers can have a similar problem with their path and domain fields.
src/Microsoft.AspNetCore.SystemWebAdapters.Authentication/RemoteAuthenticationAuthHandler.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.AspNetCore.SystemWebAdapters.Authentication/RemoteAuthenticationAuthHandler.cs
Outdated
Show resolved
Hide resolved
...icrosoft.AspNetCore.SystemWebAdapters.Authentication/RemoteAuthenticationModule.Framework.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.AspNetCore.SystemWebAdapters.Authentication/RemoteAuthenticationOptions.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.AspNetCore.SystemWebAdapters.Authentication/RemoteAuthenticationOptions.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.AspNetCore.SystemWebAdapters.Authentication/RemoteAuthenticationService.cs
Outdated
Show resolved
Hide resolved
...oft.AspNetCore.SystemWebAdapters.Authentication/RemoteAuthenticationHttpHandler.Framework.cs
Outdated
Show resolved
Hide resolved
|
@twsouthwick - that's a good point. This doesn't pull in any new dependencies, so we could include it in the SystemWebAdapters project without adding a new one. I suppose it might be nice for customers to not have too many packages they need to install. @Tratcher - so far, I've tested it with OWIN cookie auth (ASP.NET Idenity) and it works for that scenario. I'll try out forms auth and JWT tokens to confirm it works for those scenarios, too. |
src/Microsoft.AspNetCore.SystemWebAdapters.Authentication/IRemoteAuthenticationMetadata.cs
Outdated
Show resolved
Hide resolved
|
I've added a sample in this PR demonstrating authenticating with the ASP.NET app for bearer token scenarios (so we have samples now for cookies and bearer auth). I'll spend some time today updating the PR based on the remaining feedback here and then will try it out with forms auth to make sure it works for that scenario, too. |
# Conflicts: # samples/MvcApp/Global.asax.cs # samples/MvcCoreApp/Program.cs # src/Microsoft.AspNetCore.SystemWebAdapters.SessionState/RemoteSession/RemoteAppSessionStateOptions.cs # src/Microsoft.AspNetCore.SystemWebAdapters/Microsoft.AspNetCore.SystemWebAdapters.csproj
Co-authored-by: Chris Ross <Tratcher@Outlook.com>
What kind of magic? |
|
The LoginStatus element of the forms app ( I expect the user could mimic this action from the ASP.NET Core app, but my guess is they'll need to make a request that looks like a post back and I haven't dug into what all that entails. |
There was a problem hiding this comment.
This seems workable but I have a few concerns.
- This makes sense for things like forms auth, but how do people eventually migrate off of forms auth after their content has moved over?
- Doing JWT this way is a lot less efficient and more complicated than setting it up separately in each app. While it may be possible, I don't think we should encourage it. We should create a sample showing how JWT can be set up separately in each app.
samples/RemoteAuth/Bearer/RemoteBearer/App_Start/OpenIdConnectCachingSecurityTokenProvider.cs
Outdated
Show resolved
Hide resolved
|
Thanks, @Tratcher. Those are good questions. I agree that this isn't going to be the right approach for all auth scenarios (JWT can be done better pretty easily and we can potentially provide some code to help with cookies). I think this is a useful first step to getting auth working that can be used as a fallback for most scenarios (everything except Windows auth, I think) until we have a better solution or better guidance available. As far as how to migrate off of it, that's a good point. I think we'll probably want a follow-up feature that allows users to authenticate in the ASP.NET Core app and forward the identity to the ASP.NET app (so, the reverse of what's happening here). I've already prototyped that approach and it works. I realize that doesn't make migrating off of forms auth any easier - that's a separate problem - but it does enable a user to make that transition without having to have all their endpoints migrated to ASP.NET Core first. That can be a separate PR, though, and I think this current one is the higher priority based on a principle of getting people started with .NET 6 as quickly and painlessly as possible. |
Co-authored-by: Taylor Southwick <tasou@microsoft.com>
Co-authored-by: Taylor Southwick <tasou@microsoft.com>
Co-authored-by: Taylor Southwick <tasou@microsoft.com>
Co-authored-by: Taylor Southwick <tasou@microsoft.com>
…mweb-adapters into mikerou/remote-auth
I don't know how many people will want that given they'll want to limit changes/investments in the old app. Have any customers we've interviewed expressed interest in that?
This is the main thing we need guidance for, we can't strand people in this hybrid state. |
src/Microsoft.AspNetCore.SystemWebAdapters/Authentication/RemoteAppAuthenticationService.cs
Outdated
Show resolved
Hide resolved
Agreed. Figuring out how to migrate off of forms auth is orthogonal to this PR, though, since this is just about bridging the gap so that the apps can share auth while endpoints migrate over gradually. Having a path forward for folks who used forms auth will be important, though, whether a user is taking advantage of these tools or just migrating all at once on their own. |
I can state for a fact, that I would be interested in moving the auth to core, and forwarding to my asp.net app. You already have to make changes to your old app (to handle session state etc.), so I don't see anything wrong with adding something else to provide auth sharing. I think there is already some stuff to handle this in The only other thing I would say, is that being able to migrate my customized |
|
@CZEMacLeod That's one customers opinion 😄, we have many of them at different stages of migration and they not be as willing to risk changing the old app up front. |
This PR enables remote authentication so that the ASP.NET Core app in an upgrade workflow can defer to the original ASP.NET app for user identity.
Fixes #15