Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Breaking change]: Changes in default authentication scheme handling for ASP.NET Core #490

Open
1 of 3 tasks
captainsafia opened this issue Jul 20, 2022 · 0 comments
Open
1 of 3 tasks
Labels
7.0.0 Announcement Breaking change Documented The breaking change has been published to the .NET Core docs
Milestone

Comments

@captainsafia
Copy link

captainsafia commented Jul 20, 2022

Description

Starting in .NET 7 Preview 7, we introduced new behavior in the authentication area in ASP.NET Core.

Previously, users were always required to set the default authentication scheme that would be used by authentication and authorization handlers, like so:

builder.Services.AddAuthentication("MyDefaultScheme");

Moving forward, when (and only when) a single authentication scheme is registered, that scheme will be treated as the default scheme. For example, "foobar" will be treated as the default scheme in the code below.

builder.Services.AddAuthentication().AddOAuth("foobar");

This change might expose unintended behavior changes in applications, such as authentication options being validated earlier than expected.

Version

.NET 7 Preview 7

Previous behavior

Previously, when users did not provide a default scheme in the AddAuthentication call, no default scheme was set.

builder.Services.AddAuthentication().AddCookie();

This impacted the behavior of authentication handlers in the application layer.

New behavior

Moving forward, if (and only if) a single scheme is registered in an application, that scheme will be treated as the default. In the code below, the CookieDefaults.AuthenticationScheme will be treated as the default scheme.

builder.Services.AddAuthentication().AddCookie();

However, in the code snippet below, no default will be set because multiple schemes are registered.

builder.Services.AddAuthentication().AddCookie().AddJwtBearer();

Type of breaking change

  • Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load/execute or different run-time behavior.
  • Source incompatible: Source code may encounter a breaking change in behavior when targeting the new runtime/component/SDK, such as compile errors or different run-time behavior.
  • Behavioral change: Existing code and binaries may experience different run-time behavior.

Reason for change

To reduce boilerplate when configuring authentication and set up sensible defaults.

Recommended action

The change only impacts applications with a single scheme registered. For those scenarios, it's recommended to ensure that your application is prepared to handle the assumption that a single scheme is the default. For example, the options associated with that scheme should be configured correctly.

Alternatively, this behavior can be disabled by setting the Microsoft.AspNetCore.Authentication.SuppressAutoDefaultScheme app context flag.

Affected APIs

Authentication APIs.

@ghost ghost locked as resolved and limited conversation to collaborators Jul 20, 2022
@captainsafia captainsafia added this to the 7.0.0 milestone Jul 20, 2022
@gewarren gewarren added the Documented The breaking change has been published to the .NET Core docs label Jul 21, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
7.0.0 Announcement Breaking change Documented The breaking change has been published to the .NET Core docs
Projects
None yet
Development

No branches or pull requests

2 participants