data-api-builder icon indicating copy to clipboard operation
data-api-builder copied to clipboard
verified publisher icon Azure

Hot Reload Authentication settings

Open aaronburtle opened this issue 2 years ago • 2 comments

The authentication settings are configured during startup. This means that simply refreshing the RuntimeConfig to reflect saved changes is not enough to update the authentication settings that the service will be using. Instead, those changes that need to be made must be done so in a way that refreshes the settings that were configured during startup.

aaronburtle avatar Jan 12 '24 03:01 aaronburtle

Moving this + hot reload related tasks to post GA -> tracking via 1.2rc milestone.

seantleonard avatar Mar 07 '24 17:03 seantleonard

Startup.cs ConfigureAuthentication() function requires refactoring to fulfill this task.

All possible authentication schemes (JWT, SWA, AppService, Simulator) need to be configured regardless of what contents exist in the runtime configuration.

e.g.

services.AddAuthentication(defaultScheme: EasyAuthType.StaticWebApp)
     .AddJwtBearer(options =>
     {
          options.Property = "<IOptionsMonitor?>"
      });
    .AddEasyAuthAuthentication(easyAuthAuthenticationProvider: EasyAuthType.StaticWebApp)
    .AddEasyAuthAuthentication(easyAuthAuthenticationProvider: EasyAuthType.AppService);
    // condition Simulator auth for development mode ONLY
    .AddSimulatorAuthentication();

Requirements to figure out:

  • AddJwtBearer supports IOptionsMonitor, need to figure out how to signal changes due to hot reload because hot reloading different jwt providers requires refreshing the jwtprovider options.
  • Authenticate requests using the currently configured authentication configuration, this requires modifications the ClientRoleHeaderAuthenticationMiddleware 
    public async Task InvokeAsync(HttpContext httpContext)
    {
        // authNResult will be one of:
        // 1. Succeeded - Authenticated
        // 2. Failure - Token issue
        // 3. None - No token provided, no auth result.
        AuthenticateResult authNResult = await httpContext.AuthenticateAsync(); // no param to AuthenticateAsync() uses default authentication scheme (which per above config is set as: services.AddAuthentication(defaultScheme: EasyAuthType.StaticWebApp))

The following method signature should be used instead: ` ``csharp public static Task<AuthenticateResult> AuthenticateAsync(this HttpContext context, string? scheme);

Depending on the configured authentication provider, supply the appropriate scheme to `AuthenticateAsync()`.

seantleonard avatar May 16 '24 23:05 seantleonard