Replacing current "user" objects with ClaimsPrincipal/ClaimsIdentity #1820
Conversation
…erIdentity extension methods to ClaimsPrincipal.
…d related tests due to ClaimsPrincipal support.
…g predicate in RequriesClaims
|
@NancyFx/owners @NancyFx/most-valued-minions Right lads, bit of a big fish landing here. Going to need your careful attention. I'd like to get feedback before going any further. At this point everything other that To review, best start by looking at changes to |
|
What should we do with |
|
https://github.com/jchannon/Owin.StatelessAuth On Thursday, 19 February 2015, Damian Hickey [email protected]
|
| @@ -286,84 +207,15 @@ public void Should_return_null_with_RequiresAnyClaim_and_any_claim_met() | |||
| } | |||
|
|
|||
| [Fact] | |||
| public void Should_return_forbidden_response_with_RequiresValidatedClaims_enabled_but_claims_missing() | |||
There was a problem hiding this comment.
Any tests around RequiresValidatedClaims were removed. HasClaim(s) performs that function.
| @@ -19,21 +17,14 @@ public PerRouteAuthModule() | |||
|
|
|||
| Get["/requiresclaims"] = _ => | |||
| { | |||
| this.RequiresClaims(new[] { "test", "test2" }); | |||
| this.RequiresClaims(c => c.Type == "test", c => c.Type == "test2"); | |||
There was a problem hiding this comment.
Perhaps we could have an overload of RequireClaims that takes a params string[] claim. The overload would iterate over the params and compare them against the Type of each claim. It would give us a nicer syntax. Thoughts?
There was a problem hiding this comment.
It would have to be called 'RequiredClaimTypes'.
Regardless, its not particularly useful as you generally need to inspect
at least 2 attributes of a claim - the Type and the Value. See HasClaim
https://msdn.microsoft.com/en-us/library/hh194432%28v=vs.110%29.aspx and
the predicate overload
https://msdn.microsoft.com/en-us/library/hh159713(v=vs.110).aspx
On 26 Feb 2015 23:01, "Andreas Håkansson" [email protected] wrote:
In src/Nancy.Tests.Functional/Modules/PerRouteAuthModule.cs
#1820 (comment):@@ -19,21 +17,14 @@ public PerRouteAuthModule()
Get["/requiresclaims"] = _ => {
this.RequiresClaims(new[] { "test", "test2" });this.RequiresClaims(c => c.Type == "test", c => c.Type == "test2");Perhaps we could have an overload of RequireClaims that takes a params
string[] claim. The overload would iterate over the params and compare
them against the Type of each claim. It would give us a nicer syntax.
Thoughts?—
Reply to this email directly or view it on GitHub
https://github.com/NancyFx/Nancy/pull/1820/files#r25469286.
|
I think the changes so far looks alright 😄 👍 |
|
Why is |
|
Might be nice to loop in @leastprivilege and @brockallen - be nice to get some identityserver integration/samples/lovin' alongside this. |
|
And with "we" I really mean "you" ;) I am currently busy with working on the PR on my family repo ;) |
|
We should loop in @jeffdoolittle as well, he was talking about JWT etc. over at #1550. |
|
We can't carry It currently does two things: Serializing the I suggest we delete |
|
I've also looked into Owin.StatelessAuth ( @jchannon correct me if I'm wrong ), it appears it just checks for the existence of the header and offloads the token verification to the user and it doesn't assist in generating the tokens. |
|
This will break A LOT of |
|
Yes it will. Allowing this is pit-of-fail. User does app.UserNancy() twice in a pipeline and stuff breaks. Remember, middleware can contain middleware, and it may come from other places, so it may not be obvious to them in their wireups. Nancy must no longer assume it's the only framework in an application. Fwiw, there is no such thing as |
|
I disagree, we still need our happy path - the 99% use case is Nancy on its own, or potentially nancy with some auth middleware - anyone using complex middleware setups should already be aware of how to set it up. |
|
I knew you would :) |
|
And WebApi as an example on how to do things? You'll be suggesting sharepoint next :) |
|
One data point a projection does not make :) |
|
Will happy-path users still be coming via OWIN(\whatever) pipelines though? hmm |
|
We could take a similar approach to the one I suggested for the razor config wrecking problem - have two "levels" of nuget, our normal ones with happy paths, then a .core that is just bare bones. In razor's case .core would be everything but the config transforms, razor main package would have a dependency on that, and add in the transforms. For the owin stuff perhaps it could be that the happy path stuff isn't in core, but is included as a dependency in Nancy.hosting.aspnet (just thinking out loud to give an idea) |
|
Could Nancy.Hosting.AspNet could do the bootstrapper static location? |
|
That's what it does currently, but not sure how it will work if we shift it to owin.. Maybe the "hosting" packages that use katana will bring in a startup.cs |
|
Regardless of the outcome of the wireup discussion, I don't think it has any relevance to the scope of this issue/PR, so if you could roll it back that'd be awesome. |
|
Yah fair enough. What about that failing test because it's finding multiple
bootstrappers in the test assembly? Test for the exception?
|
|
Sorry @damianh I missed your question.. yeah, those tests are a bit broken I think.. something like this makes more sense: namespace Nancy.Owin.Tests
{
using Nancy.Bootstrapper;
using Nancy.Tests;
using Xunit;
public class NancyOptionsFixture
{
private readonly NancyOptions nancyOptions;
public NancyOptionsFixture()
{
this.nancyOptions = new NancyOptions();
}
[Fact]
public void Bootstrapper_should_use_locator_if_not_specified()
{
// Given
var bootstrapper = new DefaultNancyBootstrapper();
NancyBootstrapperLocator.Bootstrapper = bootstrapper;
//When
//Then
this.nancyOptions.Bootstrapper.ShouldNotBeNull();
this.nancyOptions.Bootstrapper.ShouldBeSameAs(bootstrapper);
}
[Fact]
public void Bootstrapper_should_use_chosen_bootstrapper_if_specified()
{
// Given
var bootstrapper = new DefaultNancyBootstrapper();
var specificBootstrapper = new DefaultNancyBootstrapper();
NancyBootstrapperLocator.Bootstrapper = bootstrapper;
//When
this.nancyOptions.Bootstrapper = specificBootstrapper;
//Then
this.nancyOptions.Bootstrapper.ShouldNotBeNull();
this.nancyOptions.Bootstrapper.ShouldBeSameAs(specificBootstrapper);
}
[Fact]
public void PerformPassThrough_should_not_be_null()
{
this.nancyOptions.PerformPassThrough.ShouldNotBeNull();
}
[Fact]
public void PerformPassThrough_delegate_should_return_false()
{
this.nancyOptions.PerformPassThrough(new NancyContext()).ShouldBeFalse();
}
}
} |
… all sort of problems if there is more than one Nancy instance / bootstrapper in a owin pipeline. (reverted from commit e8ae7c4)
|
@grumpydev only problem with these tests is they can't be run in parallel (static mutable state being the enemy of parallel testing). May or not be a concern for @NancyFx/owners . |
|
Test fixed. I guess a rebase is required. @NancyFx/owners Could one of you rebase the 2.0 branch (if deemed necessary)? |
|
I thought about that @damianh, but I couldn't think of anywhere else that used that property - I suppose it could be refactored so NancyOptions has: public Func BootstrapperLocator { get; set; } ctor() { Then that can be swapped out to whatever you like.. quite possibly overkill though :) |
|
Yeah, think it's a bit of overkill right now. Lets move on and address it separately as you've suggested. |
Replacing current "user" objects with ClaimsPrincipal/ClaimsIdentity
|
Is there a CI feed for the v2 branch so I can try this out? |
|
@xt0rted : not yet, we will put a beta out after 1.2 in the next week. |
PR to fix #1800
Mandatory:
Preferred:
Update Token Auth to use the new extensions and claim structureRemove Token Auth 🔥Additional
NancyOptions. It WILL cause conflicts and composition problems in an OWIN pipeline.