Make it possible to turn off OpenID Connect configuration retrieval, or enable removal of an added authentication handler

[ChrisKlug]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

During integration testing with the WebApplicationFactory, I tend replace the existing authentication method (OIDC) with basic auth to simplify testing. However, in the current model, it seems more or less impossible to remove an authentication handler once it has been added. This is a problem with the OIDC handler, as it makes a request to retrieve the OIDC configuration on startup, which causes problems during testing.

Describe the solution you'd like

It would be great to be able to remove an authentication handler after it has been added, e.g. in the ConfigureTestServices method. Alternatively, it could be solved by being able to configure the OIDC handler to not get the configuration automatically.

Additional context

Right now, my solution is to set a specific environment name in the tests, and have code that checks the environment name before adding the OIDC handler. However, this feels less than optimal, as I don't want to have test specific code in my production application.

[ChrisKlug]

The solution that was suggested to me at some point was to use IAuthenticationSchemeProvider.RemoveScheme. However, this would require me to build the application first to get hold of the ´IAuthenticationSchemeProvider´. I would like to do it during set-up in ´ConfigureTestServices()´.

[MackinnonBuck]

@ChrisKlug, what's wrong with building the service provider first, then modifying the schemes after? Have you taken a look at AuthenticationOptions.SchemeMap?

[ChrisKlug]

Is the call to the OIDC configuration endpoint not done during creation? Or is that called at a later point? I thought it was done during creation, in which case it is too late to remove it after creation...

[ChrisKlug]

Also, it would feel better to do it before creation to me. As I really don't want it in there. But that is a subjective thing I guess

[MackinnonBuck]

Is the call to the OIDC configuration endpoint not done during creation? Or is that called at a later point?

It happens on the first request.

@ChrisKlug, is there a reason you could add something to your app's configuration (e.g., create some kind of testing configuration), and then set up the app's auth differently depending on the current configuration?

[ChrisKlug]

If it's on first request, I should be able to remove the handler in my test after the creation of the app using the IAuthenticationSchemeProvider.RemoveScheme. I thought I tested that, but I'll have to try again.

I currently have a conditional that only adds the OIDC handler if the environment isn't my integration testing. But I'd rather not have code that is test specific deployed to test...