You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Introduce new authentication provider Unauthenticated as the default (#3075)
## Why make this change?
New authentication provider where all operations run as `anonymous`.
Useful when DAB is behind an app gateway or APIM where authentication is
handled externally.
## What is this change?
**Core Implementation:**
- Added `UnauthenticatedAuthenticationHandler` in
`UnauthenticatedAuthentication/` folder (follows Simulator pattern)
- Added `IsUnauthenticatedAuthenticationProvider()` to
`AuthenticationOptions.cs`
- Added `IsUnauthenticatedIdentityProvider` property to
`RuntimeConfig.cs`
- Added explicit mapping in
`ClientRoleHeaderAuthenticationMiddleware.ResolveConfiguredAuthNScheme()`
- Changed `AuthenticationOptions` record default from `AppService` to
`Unauthenticated`
- Updated `IsAppServiceIdentityProvider` and
`IsStaticWebAppsIdentityProvider` to only return true when explicitly
set
**CLI & Validation:**
- Changed `dab init` default from `AppService` to `Unauthenticated`
- `Utils.ValidateAudienceAndIssuerForJwtProvider()` accepts
Unauthenticated without JWT config
- `ConfigGenerator.IsConfigValid()` emits warning (not error) when used
with non-anonymous roles
- Simulator provider comparison made case-insensitive (consistent with
Unauthenticated check)
**Schema:**
- Added `Unauthenticated` to `dab.draft.schema.json` provider enum
**Test Updates:**
- Updated all CLI snapshot files (115+ files) to expect
`Unauthenticated` as default
- Updated `InitTests.cs`, `UpdateEntityTests.cs`, and `TestHelper.cs` to
use `Unauthenticated` as the default provider in unit test setup helpers
- Integration test config files (`dab-config.*.json`) continue to use
`AppService` because integration tests exercise role-based policies
(authenticated role, database policies, exclude fields) that require
actual token-based authentication — the `Unauthenticated` provider
treats all requests as anonymous and does not process bearer tokens
**Key behaviors:**
- Allowed in `production` mode (unlike Simulator)
- Allowed with `authenticated`/custom role permissions (warning emitted)
- No JWT configuration required
## How was this tested?
- [x] Integration Tests
- Integration test config files (`dab-config.*.json`) retain
`AppService` provider to support role-based policy testing
- [x] Unit Tests
- `ValidateUnauthenticatedProviderIdentification` in
`AuthenticationConfigValidatorUnitTests.cs`
- Unauthenticated test cases in
`TestValidateAudienceAndIssuerForAuthenticationProvider`
- Updated all CLI snapshot files (115+ files) to expect
`Unauthenticated` as default
- `TestUnauthenticatedProviderNonAnonymousRoleDetection` validates
warning is emitted for non-anonymous roles
## Sample Request(s)
```bash
# Now defaults to Unauthenticated provider
dab init --database-type mssql --connection-string "..."
# Explicit AppService provider (previous default)
dab init --database-type mssql --connection-string "..." --auth.provider AppService
```
Config snippet:
```json
{
"runtime": {
"host": {
"authentication": {
"provider": "Unauthenticated"
}
}
}
}
```
<!-- START COPILOT CODING AGENT TIPS -->
---
✨ Let Copilot coding agent [set things up for
you](https://github.com/Azure/data-api-builder/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.
---------
Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: JerryNixon <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: RubenCerna2079 <[email protected]>
Co-authored-by: Aniruddh Munde <[email protected]>
Co-authored-by: Aniruddh25 <[email protected]>
Co-authored-by: souvikghosh04 <[email protected]>
Co-authored-by: Souvik Ghosh <[email protected]>
Copy file name to clipboardExpand all lines: schemas/dab.draft.schema.json
+4Lines changed: 4 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -418,6 +418,10 @@
418
418
{
419
419
"const": "Custom",
420
420
"description": "Custom authentication provider defined by the user. Use the JWT property to configure the custom provider."
421
+
},
422
+
{
423
+
"const": "Unauthenticated",
424
+
"description": "Unauthenticated provider where all operations run as anonymous. Use when Data API builder is behind an app gateway or APIM where authentication is handled externally."
0 commit comments