#842 AuthenticationOptions in GlobalConfiguration #1215
Conversation
|
+1 to please add/merge this feature. Question: does your implementation allow for a given route to NOT have authentication? Like an 'allow anonymous' setting. In my project this would be needed for my identity service. |
|
@rathga, it should be quite easy to add this option. I'll try to update the pull request soon. Thanks for the feedback! |
raman-m
changed the title
raman-m
force-pushed
the
feature/842-authenticationoptions-in-globalconfiguration
branch
from
6e53f98
to
c1afca2
Compare
raman-m
added
feature
|
@jlukawska Hi J! What I've done:
Now we can start code review... |
Hey, Richard! Could you join to code review please? Also, check please, |
raman-m
requested review from
binarymash,
jps,
geffzhang,
RaynaldM,
philproctor,
anktsrkr,
sharpn,
abooraja,
wast,
raman-m,
yangzhongke,
margaale and
thiagoloureiro
There was a problem hiding this comment.
@RaynaldM @wast
Wow! 2 approvals from you, guys, without issues, really? 😉 👇
I am impressed! 😄
I see 2 major issues now:
- Unit & acceptance tests, and their methods have a lot of copied & pasted code snippets. The fact-methods are long. But they could be shorter.
- Some lines are too long. It is hard to read.
I would appreciate if PR author will fix them.
| @@ -42,6 +42,63 @@ When Ocelot runs it will look at this Routes AuthenticationOptions.Authenticatio | |||
|
|
|||
| If a Route is authenticated Ocelot will invoke whatever scheme is associated with it while executing the authentication middleware. If the request fails authentication Ocelot returns a http status code 401. | |||
|
|
|||
| If you want to configure AuthenticationOptions the same for all Routes, do it in GlobalConfiguration the same way as for Route. If there are AuthenticationOptions configured both for GlobalConfiguration and Route (AuthenticationProviderKey is set), the Route section has priority. If you want to exclude route from global AuthenticationOptions, you can do that by setting AllowAnonymousForGlobalAuthenticationOptions to true in the route AuthenticationOptions - then this route will not be authenticated. | |||
There was a problem hiding this comment.
It is better to write a new subsection of the chapter like:
Global Authentication
^^^^^^^^^^^^^^^^^^^^^
before this line.
And this line is too long! Splitting phrases should help.
| public AuthenticationOptions Create(FileAuthenticationOptions routeAuthOptions, | ||
| FileAuthenticationOptions globalConfAuthOptions) |
There was a problem hiding this comment.
| public AuthenticationOptions Create(FileAuthenticationOptions routeAuthOptions, | |
| FileAuthenticationOptions globalConfAuthOptions) | |
| public AuthenticationOptions Create( | |
| FileAuthenticationOptions routeAuthOptions, | |
| FileAuthenticationOptions globalConfAuthOptions) |
Or, Don't make new line at all. Having 2-3 parameters in signature on the same line is totally fine.
| public List<string> AllowedScopes { get; set; } | ||
|
|
||
| /// <summary> | ||
| /// Allows anonymous authentication globally. |
| /// <value> | ||
| /// <see langword="true"/> if it is allowed; otherwise, <see langword="false"/>. | ||
| /// </value> | ||
| public bool AllowAnonymousForGlobalAuthenticationOptions { get; set; } |
There was a problem hiding this comment.
The name could be shorter, like that: AllowAnonymousAuthentication or even AllowAnonymous.
|
|
||
| RuleFor(authOptions => authOptions.AuthenticationProviderKey) | ||
| .MustAsync(IsSupportedAuthenticationProviders) | ||
| .WithMessage("{PropertyName}: {PropertyValue} is unsupported authentication provider"); |
There was a problem hiding this comment.
What placeholders are here?
Are they implicit? Where is definition of these variables?
| var route = new FileRoute | ||
| { | ||
| AuthenticationOptions = new FileAuthenticationOptions() | ||
| { | ||
| AuthenticationProviderKey = "routeKey", | ||
| AllowedScopes = new List<string>() { "routeScope1", "routeScope2" }, | ||
| }, | ||
| }; | ||
| var globalConfig = new FileGlobalConfiguration | ||
| { | ||
| AuthenticationOptions = new FileAuthenticationOptions() | ||
| { | ||
| AuthenticationProviderKey = "globalKey", | ||
| AllowedScopes = new List<string>() { "globalScope1", "globalScope2" }, | ||
| }, | ||
| }; |
There was a problem hiding this comment.
Could you define a helper to construct FileRoute object plz?
The goal is writing less code.
There was a problem hiding this comment.
I believe that all new facts could call new defined helpers.
So, too many copy-pasted code snippets!
| var provider = new ServiceCollection() | ||
| .BuildServiceProvider(); | ||
|
|
||
| // Todo - replace with mocks | ||
| _configurationValidator = new FileConfigurationFluentValidator(provider, new RouteFluentValidator(_authProvider.Object, new HostAndPortValidator(), new FileQoSOptionsFluentValidator(provider)), new FileGlobalConfigurationFluentValidator(new FileQoSOptionsFluentValidator(provider))); | ||
| _configurationValidator = new FileConfigurationFluentValidator(provider, new RouteFluentValidator(new HostAndPortValidator(), new FileQoSOptionsFluentValidator(provider), _fileAuthenticationOptionsValidator), new FileGlobalConfigurationFluentValidator(new FileQoSOptionsFluentValidator(provider), _fileAuthenticationOptionsValidator)); |
There was a problem hiding this comment.
Too long line!
It is hard to read the code...
Could you apply new line vs indentation approach to make code readability better plz?
| @@ -1554,7 +1598,7 @@ private void GivenAServiceDiscoveryHandler() | |||
| ServiceDiscoveryFinderDelegate del = (a, b, c) => new FakeServiceDiscoveryProvider(); | |||
| collection.AddSingleton<ServiceDiscoveryFinderDelegate>(del); | |||
| var provider = collection.BuildServiceProvider(); | |||
| _configurationValidator = new FileConfigurationFluentValidator(provider, new RouteFluentValidator(_authProvider.Object, new HostAndPortValidator(), new FileQoSOptionsFluentValidator(provider)), new FileGlobalConfigurationFluentValidator(new FileQoSOptionsFluentValidator(provider))); | |||
| _configurationValidator = new FileConfigurationFluentValidator(provider, new RouteFluentValidator(new HostAndPortValidator(), new FileQoSOptionsFluentValidator(provider), _fileAuthenticationOptionsValidator), new FileGlobalConfigurationFluentValidator(new FileQoSOptionsFluentValidator(provider), _fileAuthenticationOptionsValidator)); | |||
| private static bool IsAuthenticated(FileRoute fileRoute, FileGlobalConfiguration globalConfiguration) | ||
| { | ||
| return (!string.IsNullOrEmpty(globalConfiguration?.AuthenticationOptions?.AuthenticationProviderKey) && | ||
| !fileRoute.AuthenticationOptions.AllowAnonymousForGlobalAuthenticationOptions) || | ||
| !string.IsNullOrEmpty(fileRoute.AuthenticationOptions?.AuthenticationProviderKey); | ||
| } |
There was a problem hiding this comment.
Because the body consists of one operator only, why not to define via expression body 👇
| private static bool IsAuthenticated(FileRoute fileRoute, FileGlobalConfiguration globalConfiguration) | |
| { | |
| return (!string.IsNullOrEmpty(globalConfiguration?.AuthenticationOptions?.AuthenticationProviderKey) && | |
| !fileRoute.AuthenticationOptions.AllowAnonymousForGlobalAuthenticationOptions) || | |
| !string.IsNullOrEmpty(fileRoute.AuthenticationOptions?.AuthenticationProviderKey); | |
| } | |
| private static bool IsAuthenticated(FileRoute fileRoute, FileGlobalConfiguration globalConfiguration) | |
| => (!string.IsNullOrEmpty(globalConfiguration?.AuthenticationOptions?.AuthenticationProviderKey) | |
| && !fileRoute.AuthenticationOptions.AllowAnonymousForGlobalAuthenticationOptions) | |
| || !string.IsNullOrEmpty(fileRoute.AuthenticationOptions?.AuthenticationProviderKey); |
… characters: {should_*}
raman-m
force-pushed
the
feature/842-authenticationoptions-in-globalconfiguration
branch
from
19d5e00
to
c99d512
Compare
|
I need this change,What time releases this PR? |
raman-m
added
low
Sorry for delaying the delivery! We have a lack of dev time! |
Closes #842
Proposed Changes
It is possible to configure AuthenticationOptions in GlobalConfiguration. Then all routes use these settings. To configure an exception to this rule (e.g. for identity service), AllowAnonymousForGlobalAuthenticationOptions property should be set to true in the route AuthenticationOptions.
If a route has its own AuthenticationOptions with AuthenticationProviderKey configured additionally, it has priority over the global one.
At the moment if a route uses a global AuthenticationProviderKey (when AuthenticationProviderKey is not configured for route explicitly), it uses also global AllowedScopes, even if AllowedScopes is configured for the route additionally.