Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Automatically infer `OpenApiSecuritySchemes` from authentication configuration
See original GitHub issueAt the moment, when users enable authentication in their ASP.NET apps, they typically have to manually the describe the OpenApiSecuritySchemes in their application and the top level and configure OpenApiSecurityRequirements for each route that requires authentication and authorization.
We should infer as much of these definitions as possible so users don’t need to configure auth twice, once for their application and another time for OpenAPI.
Provide metadata support for parts of the specification documented in https://swagger.io/docs/specification/authentication/.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:7
- Comments:7 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Who knew auth could be so hard? 🤪
I started experimenting with some of this support in the new Microsoft.AspNetCore.OpenAPI package. The problem is generally easy to solve for cookie and JWT bearer-based authentication types, but OAuth authentication types are a lot trickier for us to derive automatic annotations for because:
We’ve had conversations about how to make the authentication system more self-describing for annotation purposes. There’s more design scenarios to reason about here but for .NET 7 we’re scoping it down to auto-generating annotations for JWT-bearer based types to align with the work we’ve done with
dotnet user-jwtsand the options-from-config changes.I spent some time prototyping what this would look like and landed on a pretty solid strategy that uses
PostConfigureOptionson a customAuthenticationBuilderthat would work well for this.With that in mind, here’s some of the challenges:
PostConfigureOptionsneeds to be added to DI as part of theAddAuthenticationcall. In my demo, I added this behavior to a customWebApplicationAuthenticationBuilderthat was part ofWebApplication. Similar to the model that we tried out in .NET 7 withbuilder.Authentication. It’s not totally necessary but not having it would mean that this behavior will be enabled for all authentication scenarios in .NET 8.PostConfigureOptionswould need to emitOpenApiSecuritySchemesgivenAuthenticationSchemeOptionsbut cannot take a dependency on the type since it is not in the shared framework. We could consider packaging it in the shared framework or build a set of intermediary definitions.