Add a helper extension for setting up JWT bearer authentication

[danroth27]

To setup JWT bearer authentication you have to: 1. add JWT bearer, 2. setup the default auth schemes. We should add a helper extension that does this for you:

The templates currently have this code that should be in the framework:

        public static IServiceCollection AddWebApiAuthentication(this IServiceCollection services)
        {
            services.AddAuthentication(sharedOptions =>
            {
                sharedOptions.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                sharedOptions.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
            });

            services.AddJwtBearerAuthentication();
            return services;
        }

Alternative names: AddDefaultJwtBearerAuthentication, ...

[brockallen]

Shared options should die in a tire fire, with all due respect :)

[danroth27]

@HaoK @davidfowl

@brockallen Could you please file a separate issue with that feedback (if you haven't already) and add some more details on what you'd like to see changed?

[HaoK]

So shared options are basically a sugar/hack that allow not specifying the scheme for things like Authorize and automatically getting a httpContext.User from cookies, and having remote OAuth providers automatically create an 'Application' cookie. That said, I'm not sure most people want to see or understand all that complexity, which is why we've always sort of hidden them with default 'shared' options.

[brockallen]

shared options are basically a sugar/hack

Thus the ask :) I see them as analogous to shared/static/ambient state that we've all been trying to move away from.

[HaoK]

Yeah well, templates need to be simple/pretty/clean is the other argument, and in many apps, there really is a good candidate for 'default' authentication scheme (usually a cookie), and if you don't like the sugar, you don't have to use it anyways.

But I'll grant you the fact that the sugar is there has hidden the fact that you can explicitly set a lot of these things...

[brockallen]

Yea, it's just a reminder about magic am ambient stuff not helping people understand things. As said elsewhere, we already have enough issues about people not knowing how any of this works.

[Tratcher]

Isn't this a non-issue for bearer since you only have to set the defaults if there's more than one?

[HaoK]

Yeah so if this method is the only AddXyzAuthentication called for that template, you should just call AddJwtBearerAuthentication directly and avoid setting the defaults

[danroth27]

Ah, I didn't realize that. I'll try that out, but it sounds like we don't need this one then.

[brockallen]

Yeah so if this method is the only AddXyzAuthentication called for that template, you should just call AddJwtBearerAuthentication directly and avoid setting the defaults

Right -- which illustrates that most people won't know when they do and don't need to use those defaults. Tire fire!

Just kidding about the tire fire, and I appreciate that it's not a trivial consideration. I just like to expect that devs are required to know certain things, otherwise they shouldn't be the ones writing their critical authentication and identity management infrastructure.

[Eilon]

Closing this issue because it ends up being a one-liner anyway.