Introduce new authentication provider Unauthenticated as the default#3075
Open
Introduce new authentication provider Unauthenticated as the default#3075
Unauthenticated as the default#3075Conversation
Co-authored-by: JerryNixon <1749983+JerryNixon@users.noreply.github.com>
…and JSON schema Co-authored-by: JerryNixon <1749983+JerryNixon@users.noreply.github.com>
Co-authored-by: JerryNixon <1749983+JerryNixon@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Add new authentication provider 'Unauthenticated'
Introduce new authentication provider Jan 21, 2026
Unauthenticated
JerryNixon
approved these changes
Jan 21, 2026
JerryNixon
requested review from
Alekhya-Polavarapu,
RubenCerna2079,
aaronburtle,
anushakolan,
neeraj-sharma2592,
rusamant,
sourabh1007,
souvikghosh04 and
vadeveka
as code owners
JerryNixon
approved these changes
Jan 21, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Introduces a new Unauthenticated authentication provider intended to treat all requests as anonymous without requiring JWT configuration.
Changes:
- Added an
UnauthenticatedASP.NET Core auth handler/scheme and wired it intoStartupauth registration paths. - Updated CLI validation and config validation logic to allow
Unauthenticatedwithout JWT (with warnings for non-anonymous role permissions). - Extended schema and CLI tests/snapshots to include the new provider.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| src/Service/Startup.cs | Registers the Unauthenticated auth scheme in both auth configuration paths. |
| src/Core/AuthenticationHelpers/UnauthenticatedAuthenticationHandler/UnauthenticatedAuthenticationHandler.cs | New auth handler that yields an anonymous principal. |
| src/Core/AuthenticationHelpers/UnauthenticatedAuthenticationHandler/UnauthenticatedAuthenticationDefaults.cs | Defines the scheme name constants for the new provider. |
| src/Core/AuthenticationHelpers/UnauthenticatedAuthenticationHandler/UnauthenticatedAuthenticationBuilderExtensions.cs | Adds an AuthenticationBuilder extension to register the new scheme. |
| src/Core/AuthenticationHelpers/SupportedAuthNProviders.cs | Adds Unauthenticated to the supported provider constants. |
| src/Config/ObjectModel/AuthenticationOptions.cs | Adds provider detection helper and updates JWT-required determination logic. |
| src/Cli/Utils.cs | Allows Unauthenticated to omit JWT audience/issuer and updates messaging. |
| src/Cli/ConfigGenerator.cs | Emits a warning when Unauthenticated is used with non-anonymous permissions. |
| src/Cli.Tests/ValidateConfigTests.cs | Adds unit tests for Unauthenticated provider helper methods. |
| src/Cli.Tests/Snapshots/InitTests.EnsureCorrectConfigGenerationWithDifferentAuthenticationProviders_47836da0dfbdc458.verified.txt | Updates snapshot for config generation using Unauthenticated. |
| src/Cli.Tests/InitTests.cs | Adds Unauthenticated as a test case for init/config generation. |
| schemas/dab.draft.schema.json | Adds Unauthenticated to the provider enum and documents it. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Contributor
|
@copilot apply changes based on the comments in this thread |
Contributor
Author
Added in f0b25d0:
|
Contributor
|
@copilot We need to update dab init in the CLI to default to this new provider when it is executed without an explicit flag. |
…ated Co-authored-by: JerryNixon <1749983+JerryNixon@users.noreply.github.com>
Contributor
Author
Done in 17844ce. Changed the default authentication provider from
|
Copilot
AI
changed the title
Introduce new authentication provider
Introduce new authentication provider Feb 13, 2026
UnauthenticatedUnauthenticated as the default
Aniruddh25
reviewed
Feb 21, 2026
Co-authored-by: Aniruddh25 <3513779+Aniruddh25@users.noreply.github.com>
Aniruddh25
reviewed
Feb 21, 2026
src/Service/Startup.cs
Outdated
| AuthenticationOptions authOptions = runtimeConfig.Runtime.Host.Authentication; | ||
| HostMode mode = runtimeConfig.Runtime.Host.Mode; | ||
| if (!authOptions.IsAuthenticationSimulatorEnabled() && !authOptions.IsEasyAuthAuthenticationProvider()) | ||
| if (!authOptions.IsAuthenticationSimulatorEnabled() && !authOptions.IsEasyAuthAuthenticationProvider() && !authOptions.IsUnauthenticatedAuthenticationProvider()) |
Co-authored-by: Aniruddh25 <3513779+Aniruddh25@users.noreply.github.com>
Aniruddh25
approved these changes
Feb 21, 2026
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 6 pipeline(s). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why make this change?
New authentication provider where all operations run as
anonymous. Useful when DAB is behind an app gateway or APIM where authentication is handled externally. This provider is now the default when executingdab initwithout an explicit--auth.providerflag.What is this change?
Core Implementation:
IsUnauthenticatedAuthenticationProvider()toAuthenticationOptions.csUnauthenticatedAuthenticationHandlerinUnauthenticatedAuthenticationfolder (follows Simulator pattern, returns unauthenticated ClaimsPrincipal)Startup.csto register the provider in bothConfigureAuthentication()andConfigureAuthenticationV2()ClientRoleHeaderAuthenticationMiddleware.ResolveConfiguredAuthNScheme()for proper scheme selection at request timeStartup.csto useIsJwtConfiguredIdentityProvider()helper method for cleaner codeCLI & Validation:
AppServicetoUnauthenticatedfordab initUtils.ValidateAudienceAndIssuerForJwtProvider()to accept Unauthenticated without JWTConfigGenerator.IsConfigValid()when used with authenticated/custom roles (not an error)ConfigureOptions.csto reflect new defaultSchema:
Unauthenticatedtodab.draft.schema.jsonprovider enumKey behaviors:
dab initis executed without--auth.providerproductionmode (unlike Simulator)authenticated/custom role permissions (warning emitted)How was this tested?
ValidateUnauthenticatedProviderIdentificationtest inAuthenticationConfigValidatorUnitTests.csTestValidateAudienceAndIssuerForAuthenticationProvider(UtilsTests.cs)TestBaseRouteIsConfigurableForSWA(EndToEndTests.cs)TestUpdateAuthenticationProviderHostSettings(ConfigureOptionsTests.cs)Sample Request(s)
Config snippet:
{ "runtime": { "host": { "authentication": { "provider": "Unauthenticated" } } } }✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.