Make it possible to turn off OpenID Connect configuration retrieval, or enable removal of an added authentication handler

[ChrisKlug]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

During integration testing with the WebApplicationFactory, I tend replace the existing authentication method (OIDC) with basic auth to simplify testing. However, in the current model, it seems more or less impossible to remove an authentication handler once it has been added. This is a problem with the OIDC handler, as it makes a request to retrieve the OIDC configuration on startup, which causes problems during testing.

Describe the solution you'd like

It would be great to be able to remove an authentication handler after it has been added, e.g. in the ConfigureTestServices method. Alternatively, it could be solved by being able to configure the OIDC handler to not get the configuration automatically.

Additional context

Right now, my solution is to set a specific environment name in the tests, and have code that checks the environment name before adding the OIDC handler. However, this feels less than optimal, as I don't want to have test specific code in my production application.

[ChrisKlug]

The solution that was suggested to me at some point was to use IAuthenticationSchemeProvider.RemoveScheme. However, this would require me to build the application first to get hold of the ´IAuthenticationSchemeProvider´. I would like to do it during set-up in ´ConfigureTestServices()´.

[MackinnonBuck]

@ChrisKlug, what's wrong with building the service provider first, then modifying the schemes after? Have you taken a look at AuthenticationOptions.SchemeMap?

[ChrisKlug]

Is the call to the OIDC configuration endpoint not done during creation? Or is that called at a later point? I thought it was done during creation, in which case it is too late to remove it after creation...

[ChrisKlug]

Also, it would feel better to do it before creation to me. As I really don't want it in there. But that is a subjective thing I guess

[MackinnonBuck]

Is the call to the OIDC configuration endpoint not done during creation? Or is that called at a later point?

It happens on the first request.

@ChrisKlug, is there a reason you could add something to your app's configuration (e.g., create some kind of testing configuration), and then set up the app's auth differently depending on the current configuration?

[ChrisKlug]

If it's on first request, I should be able to remove the handler in my test after the creation of the app using the IAuthenticationSchemeProvider.RemoveScheme. I thought I tested that, but I'll have to try again.

I currently have a conditional that only adds the OIDC handler if the environment isn't my integration testing. But I'd rather not have code that is test specific deployed to test...

[halter73]

To progress further on this issue, I think we'll need example code that does not work that you would like to have work.

[ChrisKlug]

I created a little sample of what I am talking about. It's available here: https://github.com/ChrisKlug/asp-net-core-auth-example

It is quite easily fixed using IAuthenticationSchemeProvider after the creation of the app. I am just feeling like it isn't where I would expect to find it. I would expect to be able to do it in the ConfigureTestServices method. Which I guess I why I have never found the IAuthenticationSchemeProvider way, as I wasn't looking to remove it after it had already been created...

I get that it might not be a high priority issue, but I still think it would make it easier to discover if it was available in ConfigureTestServices. In the same way that integration testing ASP.NET Core would be a lot easier to understand if the NuGet package didn't include the MVC part...