How can I force hotchocolate to use an authentication scheme that is not the default?

[ronnyek]

Greetings. We've currently got hotchocolate integrated with our application and things are generally working pretty great (version 13.3.3).

Our API has 2 authentication providers setup, a proprietary setup.. .and basic. I'd like to have the graphql endpoint be able to use a authentication scheme that is not the default. I've tried marking up the query with the [Authorize(AuthenticationSchemes="BasicAuthentication")] as well as going so far to create a custom interceptor and registering that.

internal class BasicAuthRequestInterceptor: DefaultHttpRequestInterceptor
{
    public override async ValueTask OnCreateAsync(HttpContext context, IRequestExecutor requestExecutor, IQueryRequestBuilder requestBuilder,
        CancellationToken cancellationToken)
    {
        await context.AuthenticateAsync("BasicAuthentication");
        base.OnCreateAsync(context, requestExecutor, requestBuilder, cancellationToken);
    }
}

I registered this with

 services.AddGraphQLServer()
     .AddHttpRequestInterceptor<BasicAuthRequestInterceptor>()

I'm not even seeing that OnCreateAsync fire, always just defaults to the default authentication scheme. Incidentally I do have endpoints and other frameworks that use the BasicAuthentication scheme and work... but can't seem to get graphql endpoint to default to that (or maybe even just allow both?)

The problem is by default the other auth provider is CAS, and requires hitting a central identity server, getting a cookie set, and redirecting back to our app. When I embed bananna cake pop into our .net app, that actually works great... but now we're going to need to remove that from being embedded directly in our app, and just run the standalone bannana cake pop. I'm assuming there is no way to handle redirect and perform the login to get appropriate cookies set.

I was going to conditionally allow this other authentication scheme to allow basic authentication so that we could very easily connect standalone bananna cake pop to our api.

Any ideas would be greatly appreciated.

[ronnyek]

As a side note, I was able to call app.MapGraphQL("/graphqlopen").AllowAnonymous(); (obviously this wont ever make it to production code) and when I hit this endpoint, it then triggers the basic authentication checks.

I think this will actually suffice for what I need, but would still be curious if there is a different way to just say MapGraphQL().UseScheme("somescheme") or something like that

[ronnyek]

A followup here... if I allowAnonymous so that the interceptor fires, I can call AuthenticateAsync("BasicAuthentication") and the result of that returns an AuthenticationResponse with the Succeeded value set to false (when basic auth credentials are invalid), but there is no way to have graphql return 401.

If I do context.Response.StatusCode = StatusCodes.Status401Unauthorized; within my interceptor, graphql still returns 201 with the result of the request (whether that's schema information or results of a query)

[ronnyek]

Ok, I think I got it all figured out.

Firstly, create authorization policy like so

opts.AddPolicy("BasicAuth", builder =>
{
    builder.AuthenticationSchemes.Add("BasicAuthentication");
    builder.RequireAuthenticatedUser();
});

Then when calling MapGraphQL() call it like so:

app.MapGraphQL("/graphqlbasic").RequireAuthorization("BasicAuth");

Hotchocolate now enforces access to this endpoint as expected... and with the basic authentication provider. No need for an interceptor or anything afaik.