Authentication docs for scenarios with multiple auth types

dotnet / AspNetCore.Docs

Documentation for ASP.NET Core

https://docs.microsoft.com/aspnet/core

Creative Commons Attribution 4.0 International

12.55k stars 25.31k forks source link

Authentication docs for scenarios with multiple auth types #2363

Open Tratcher opened 7 years ago

Tratcher commented 7 years ago

When there are multiple authentication types are used in one application the developer needs to be explicit about which type to use where. Add docs about:

AutomaticChallenge (https://github.com/aspnet/Security/issues/1062)
AutomaticAuthenticate (https://github.com/aspnet/Security/issues/1062#issuecomment-267773814)
CallbackPath (unique endpoint per middleware instance) https://github.com/aspnet/Security/blob/rel/1.1.0/src/Microsoft.AspNetCore.Authentication/RemoteAuthenticationOptions.cs#L35
Proper setup for an app that contains both web pages and APIs. E.g. Cookies + JwtBearer + Jwt issuer (https://blogs.msdn.microsoft.com/webdev/2016/10/27/bearer-token-authentication-in-asp-net-core/).

Rick-Anderson commented 5 years ago

@danroth27 we don't have the band width or expertise for non-trivial security issues like this. Hence the PU (Product Unit) label.

HaoK commented 5 years ago

@Tratcher I think this topic does a reasonable enuf job now https://docs.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme?view=aspnetcore-2.1&tabs=aspnetcore2x

It doesn't cover everything you listed but it covers some of the issues involved with multiple schemes.

Tratcher commented 5 years ago

We have a sample that includes Jwt + cookies? That doesn't make sense, you can't challenge both of them.

[Authorize(AuthenticationSchemes = AuthSchemes)]
public class MixedController : Controller
    // Requires the following imports:
    // using Microsoft.AspNetCore.Authentication.Cookies;
    // using Microsoft.AspNetCore.Authentication.JwtBearer;
    private const string AuthSchemes =
        CookieAuthenticationDefaults.AuthenticationScheme + "," +
        JwtBearerDefaults.AuthenticationScheme;

HaoK commented 5 years ago

This doc predates the policy scheme stuff, I think https://github.com/aspnet/AuthSamples/tree/master/samples/PathSchemeSelection is prob the best sample for mixing those as of 2.1

HaoK commented 5 years ago

I guess I should just close this issue or re purpose it towards documenting the policy scheme stuff which targets this general scenario

Tratcher commented 5 years ago

AutomaticAuthenticate has become DefaultAuthenticateScheme or DefaultScheme AutomaticChallenge has become DefaultChallengeScheme or DefaultScheme I don't see any direct docs for either, only a few examples like this one.

CallbackPath may get covered by https://github.com/aspnet/Docs/issues/7025, though it's more generic than OAuth.

Proper setup for an app that contains both web pages and APIs

This may finally get some coverage with the Identity Server effort.

HaoK commented 5 years ago

My main point is all of these are obsolete/already things we are moving away from, it doesn't seem worth it to document them now, its better to just document the forward looking things (Policy schemes + identity server). I will leave this bug open but unassign myself, and I'll file a new issue to track documenting virtual schemes and work on that today

Rick-Anderson commented 4 years ago

@HaoK should we keep this open?