Adding Auth to endpoints #241
Conversation
|
@BrennanConroy, |
samples/ChatSample/Hubs/Chat.cs
Outdated
| { | ||
| Context.Connection.Dispose(); | ||
| } | ||
| //if (!Context.User.Identity.IsAuthenticated) |
samples/ChatSample/Startup.cs
Outdated
| using Microsoft.EntityFrameworkCore; | ||
| using Microsoft.Extensions.Configuration; | ||
| using Microsoft.Extensions.DependencyInjection; | ||
| using Microsoft.Extensions.Logging; | ||
|
|
||
| namespace ChatSample | ||
| { | ||
| public class req : IAuthorizationRequirement |
samples/ChatSample/Startup.cs
Outdated
| public class req : IAuthorizationRequirement | ||
| { | ||
| } | ||
| public class reqHandler : AuthorizationHandler<req> |
samples/ChatSample/Startup.cs
Outdated
| @@ -54,8 +71,13 @@ public void ConfigureServices(IServiceCollection services) | |||
| services.AddTransient<ISmsSender, AuthMessageSender>(); | |||
|
|
|||
| services.AddSignalR(); | |||
| services.AddEndPoint<HubEndPoint<Chat>>(options => | |||
| using Microsoft.Extensions.Primitives; | ||
| using Microsoft.Extensions.Internal; |
There was a problem hiding this comment.
nit: Sort this last using
There was a problem hiding this comment.
Looking good so far. Bring @HaoK in to look at the authentication process. We're trying to mimic MVC here, but with EndPoints instead of Controllers/Actions as the authorized resource.
| { | ||
| public class EndPointOptions<TEndPoint> where TEndPoint : EndPoint | ||
| { | ||
| public AuthorizationPolicy Policy { get; set; } |
There was a problem hiding this comment.
Do we want to take the actual policy or a name to look up? I know AuthorizeAttribute uses a name, but then again it has to because it's an Attribute.
There was a problem hiding this comment.
You probably want to take the name, as that would enable scenarios where the policy is resolved dynamically by name which would be blocked if you took the policy instance always.
| @@ -48,6 +58,59 @@ public HttpConnectionDispatcher(ConnectionManager manager, ILoggerFactory logger | |||
| } | |||
| } | |||
|
|
|||
| private async Task<bool> AuthorizeAsync<TEndPoint>(HttpContext context) where TEndPoint : EndPoint | |||
There was a problem hiding this comment.
Is this pretty much an exact copy of the AuthorizeFilter logic? As apart of Auth 2.0 I'll try to consolidate this logic somewhere that MVC + SignalR can consume rather than duplicate...
There was a problem hiding this comment.
Yeah its from AuthorizeFilter, a common spot for this would be great!
There was a problem hiding this comment.
Agree. We should have live somewhere where both MVC and Signal R can consume
There was a problem hiding this comment.
So currently AuthZ doesn't depend on HttpAbstractions, assuming we want to keep that clean, we will need to add a new package for this helper in Security... maybe Microsoft.AspNetCore.Authorization.Http?
There was a problem hiding this comment.
Or is this more appropriate as a shared common code i.e. AuthorizationHelper similar to SecurityHelper (or we could just add this as a new method in SecurityHelper too)...
There was a problem hiding this comment.
I would make a package like Microsoft.AspNetCore.Authentication.Policy and I would offer a service
IPolicyAuthenticationProvider {
Task AuthenticateAsync(HttpContext context, string policyName);
}
It's implementation will do what the AuthorizeFilter does before setting the principal into the context. This has two benefits:
- You can reuse this logic across implementations (MVC, SignalR, any other middleware).
- You can get access to a principal that matches exactly what that policy defines at any point where you have access to the HttpContext.
There was a problem hiding this comment.
Okay I'll start a prototype/design PR for the rough shape of something this week
There was a problem hiding this comment.
Something like aspnet/Security#1148 look reasonable? It basically splits things into the authentication method, and authorization method (eventually this might have logic to distinguish between challenge/forbidden)
BrennanConroy
force-pushed
the
brecon/endpoint_auth
branch
3 times, most recently
from
faa3930 to
c1f3845
Compare
|
@BrennanConroy What's the deal with this PR? |
BrennanConroy
force-pushed
the
brecon/endpoint_auth
branch
2 times, most recently
from
f6bea88 to
c86a3b4
Compare
BrennanConroy
changed the title
|
@BrennanConroy rebsae |
| @@ -51,6 +60,58 @@ public HttpConnectionDispatcher(ConnectionManager manager, ILoggerFactory logger | |||
| } | |||
| } | |||
|
|
|||
| private async Task<bool> AuthorizeAsync<TEndPoint>(HttpContext context) where TEndPoint : EndPoint | |||
BrennanConroy
force-pushed
the
brecon/endpoint_auth
branch
from
c86a3b4 to
842662e
Compare
|
🆙 📅 |
| private Task<bool> AuthorizeAsync<TEndPoint>(HttpContext context) where TEndPoint : EndPoint | ||
| { | ||
| // TODO: Authorize attribute on EndPoint | ||
| var options = context.RequestServices.GetRequiredService<IOptions<EndPointOptions<TEndPoint>>>(); |
There was a problem hiding this comment.
Why are you resolving options twice?
BrennanConroy
force-pushed
the
brecon/endpoint_auth
branch
from
f28baa3 to
23ca2a2
Compare
| var options = context.RequestServices.GetRequiredService<IOptions<EndPointOptions<TEndPoint>>>().Value; | ||
| // TODO: Authorize attribute on EndPoint |
There was a problem hiding this comment.
Is there a bug for this?
| { | ||
| public static class AuthorizeHelper | ||
| { | ||
| public static async Task<bool> AuthorizeAsync(HttpContext context, AuthorizationPolicy policy) |
There was a problem hiding this comment.
Given that we complete synchronously if policy is null, perhaps this is a place for ValueTask<bool>? C# 7 lets you drop it in place and continue using async. It's not a super high-performance code path, but it seems useful for the relatively common case of not having an auth policy.
@davidfowl thoughts on more ValueTasks? Premature optimization? Other unknown costs?
There was a problem hiding this comment.
If there's going to be a new commit to remove the jasmine crap, may as well throw it in here, it's a small change (unless ValueTask isn't available in our current package set, then I agree, just get it in).
There was a problem hiding this comment.
Never mind, Task<bool> is cached: https://referencesource.microsoft.com/#mscorlib/system/runtime/compilerservices/AsyncMethodBuilder.cs,a431f9d7dd423518
| @@ -0,0 +1,152 @@ | |||
| /* | |||
There was a problem hiding this comment.
Is this supposed to be checked in? If not, can we gitignore it?
BrennanConroy
force-pushed
the
brecon/endpoint_auth
branch
from
4f9c8e5 to
8f9f6bc
Compare
This PR is mainly to see what the current Auth progress is and if it is heading in the right direction and also to get input on design. Built on top of #240. Try to ignore most of the weird stuff in the samples.
@moozzyk @davidfowl @anurse @mikaelm12