Operation level authentication and scopes #2901
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
susliko
requested review from
bterlson,
daviwil,
markcowl,
allenjzhang and
timotheeguerin
as code owners
|
@microsoft-github-policy-service agree |
susliko
force-pushed
the
flexible-auth
branch
from
2f3c62e
to
4b32f52
Compare
|
❌ There is undocummented changes. Run The following packages have changes but are not documented.
|
|
You can try these changes at https://cadlplayground.z22.web.core.windows.net/prs/2901/ Check the website changes at https://tspwebsitepr.z22.web.core.windows.net/prs/2901/ |
susliko
force-pushed
the
flexible-auth
branch
5 times, most recently
from
8417dc8
to
9297247
Compare
susliko
force-pushed
the
flexible-auth
branch
from
9297247
to
29fa3de
Compare
There was a problem hiding this comment.
Hi @susliko this starts to look pretty good, I think I have a bit of feedback on the new resolve api and what I think might look better. Let me know what you think.
I am trying to review your deviation of the approved design with our team but I am optimistic we should be able to get that approved and merged for the next(march) release.
susliko
force-pushed
the
flexible-auth
branch
2 times, most recently
from
4768936
to
49dbb07
Compare
susliko
force-pushed
the
flexible-auth
branch
2 times, most recently
from
0561528
to
2aea817
Compare
timotheeguerin
approved these changes
Feb 26, 2024
susliko
force-pushed
the
flexible-auth
branch
from
2aea817
to
8304b8f
Compare
Resolves microsoft#2624 Major changes: - `@useAuth` can now be used both at interface and operation levels - OAuth2 scopes can be overriden at operation level
susliko
force-pushed
the
flexible-auth
branch
from
8304b8f
to
6ef7da0
Compare
markcowl
pushed a commit
to markcowl/cadl
that referenced
this pull request
Mar 8, 2024
Hi! 🖖🏻 This PR resolves microsoft#2624 by implementing the [design doc](https://gist.github.com/timotheeguerin/56690786e61a436710dd647de9febc0f), but in its initial form: - `@useAuth` can now be applied not only to service namespace, but to interfaces and operations as well. Its arguments override all authentication, which was set for enclosing scopes. - OAuth2 scopes can now be set at operation level (though, the code doing this in OpenAPI emitter is a bit clunky). - New `NoAuth` authentication option allows to declare optional authentication (`NoAuth | AnyOtherAuth`) or override authentication to none in nested scopes. This implementation does not introduce new `@authScopes` decorator as design doc comments suggest, and here's why: 1. It does not compose well with `@useAuth` at operation level. For example ``` ... @useAuth(BasicAuth) @authScopes(MyOauth2, ["read"]) op gogo(): void ``` Should that be equivalent to `BasicAuth | MyOauth2`, or to `[BasicAuth, MyOauth2]`? 2. Introducing new decorator would increase complexity, but (imho) it would not reduce the amount of boilerplate: ``` alias MyOAuth2 = OAuth2Auth<{ ... }>; @useAuth(MyOAuth2) @authAcopes(MyOauth2, ["read"]) @service namepsace Foo; ``` vs ``` model MyOAuth2Flow<T extends string[]> { ... }; alias MyOauth2<T extends string[]> = Oauth2Auth<[MyOauth2Flow[T]]> @useAuth(MyOAuth2<["read"]>) @service namepsace Foo ``` I would be happy to hear any feedback and apply suggested changes. And thanks for a convenient development setup and thorough test coverage! --------- Co-authored-by: Timothee Guerin <timothee.guerin@outlook.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi! 🖖🏻
This PR resolves #2624 by implementing the design doc, but in its initial form:
@useAuthcan now be applied not only to service namespace, but to interfaces and operations as well. Its arguments override all authentication, which was set for enclosing scopes.NoAuthauthentication option allows to declare optional authentication (NoAuth | AnyOtherAuth) or override authentication to none in nested scopes.This implementation does not introduce new
@authScopesdecorator as design doc comments suggest, and here's why:@useAuthat operation level. For exampleShould that be equivalent to
BasicAuth | MyOauth2, or to[BasicAuth, MyOauth2]?vs
I would be happy to hear any feedback and apply suggested changes.
And thanks for a convenient development setup and thorough test coverage!