Fix up reading auth schemes and setting default scheme (dotnet#42452)

* Fix up reading auth schemes and setting default scheme
* Address feedback from peer review

Author: captainsafia

src/Http/Authentication.Core/src/AuthenticationService.cs

@@ -14,6 +14,7 @@ namespace Microsoft.AspNetCore.Authentication;
 public class AuthenticationService : IAuthenticationService
 {
     private HashSet<ClaimsPrincipal>? _transformCache;
+    private const string defaultSchemesOptionsMsg = "The default schemes can be set using either AddAuthentication(string defaultScheme) or AddAuthentication(Action<AuthenticationOptions> configureOptions) or by setting the Authentication:DefaultScheme property in configuration.";
 
     /// <summary>
     /// Constructor.
@@ -64,7 +65,7 @@ public virtual async Task<AuthenticateResult> AuthenticateAsync(HttpContext cont
             scheme = defaultScheme?.Name;
             if (scheme == null)
             {
-                throw new InvalidOperationException($"No authenticationScheme was specified, and there was no DefaultAuthenticateScheme found. The default schemes can be set using either AddAuthentication(string defaultScheme) or AddAuthentication(Action<AuthenticationOptions> configureOptions).");
+                throw new InvalidOperationException($"No authenticationScheme was specified, and there was no DefaultAuthenticateScheme found. {defaultSchemesOptionsMsg}");
             }
         }
 
@@ -112,7 +113,7 @@ public virtual async Task ChallengeAsync(HttpContext context, string? scheme, Au
             scheme = defaultChallengeScheme?.Name;
             if (scheme == null)
             {
-                throw new InvalidOperationException($"No authenticationScheme was specified, and there was no DefaultChallengeScheme found. The default schemes can be set using either AddAuthentication(string defaultScheme) or AddAuthentication(Action<AuthenticationOptions> configureOptions).");
+                throw new InvalidOperationException($"No authenticationScheme was specified, and there was no DefaultChallengeScheme found. {defaultSchemesOptionsMsg}");
             }
         }
 
@@ -140,7 +141,7 @@ public virtual async Task ForbidAsync(HttpContext context, string? scheme, Authe
             scheme = defaultForbidScheme?.Name;
             if (scheme == null)
             {
-                throw new InvalidOperationException($"No authenticationScheme was specified, and there was no DefaultForbidScheme found. The default schemes can be set using either AddAuthentication(string defaultScheme) or AddAuthentication(Action<AuthenticationOptions> configureOptions).");
+                throw new InvalidOperationException($"No authenticationScheme was specified, and there was no DefaultForbidScheme found. {defaultSchemesOptionsMsg}");
             }
         }
 
@@ -186,7 +187,7 @@ public virtual async Task SignInAsync(HttpContext context, string? scheme, Claim
             scheme = defaultScheme?.Name;
             if (scheme == null)
             {
-                throw new InvalidOperationException($"No authenticationScheme was specified, and there was no DefaultSignInScheme found. The default schemes can be set using either AddAuthentication(string defaultScheme) or AddAuthentication(Action<AuthenticationOptions> configureOptions).");
+                throw new InvalidOperationException($"No authenticationScheme was specified, and there was no DefaultSignInScheme found. {defaultSchemesOptionsMsg}");
             }
         }
 
@@ -220,7 +221,7 @@ public virtual async Task SignOutAsync(HttpContext context, string? scheme, Auth
             scheme = defaultScheme?.Name;
             if (scheme == null)
             {
-                throw new InvalidOperationException($"No authenticationScheme was specified, and there was no DefaultSignOutScheme found. The default schemes can be set using either AddAuthentication(string defaultScheme) or AddAuthentication(Action<AuthenticationOptions> configureOptions).");
+                throw new InvalidOperationException($"No authenticationScheme was specified, and there was no DefaultSignOutScheme found. {defaultSchemesOptionsMsg}");
             }
         }
 

src/Security/Authentication/Core/src/AuthenticationConfigurationProviderExtensions.cs

@@ -10,7 +10,7 @@ namespace Microsoft.AspNetCore.Authentication;
 /// </summary>
 public static class AuthenticationConfigurationProviderExtensions
 {
-    private const string AuthenticationSchemesKey = "Authentication:Schemes";
+    private const string AuthenticationSchemesKey = "Schemes";
 
     /// <summary>
     /// Returns the specified <see cref="IConfiguration"/> object.

src/Security/Authentication/test/AuthenticationMiddlewareTests.cs

@@ -11,6 +11,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 using Moq;
 
 namespace Microsoft.AspNetCore.Authentication;
@@ -156,6 +157,11 @@ public async Task IAuthenticateResultFeature_SettingResultSetsUser()
     public async Task WebApplicationBuilder_RegistersAuthenticationMiddlewares()
     {
         var builder = WebApplication.CreateBuilder();
+        builder.Configuration.AddInMemoryCollection(new[]
+        {
+            new KeyValuePair<string, string>("Authentication:Schemes:Bearer:ClaimsIssuer", "SomeIssuer"),
+            new KeyValuePair<string, string>("Authentication:Schemes:Bearer:Audiences:0", "https://localhost:5001")
+        });
         builder.Authentication.AddJwtBearer();
         await using var app = builder.Build();
 
@@ -169,6 +175,10 @@ public async Task WebApplicationBuilder_RegistersAuthenticationMiddlewares()
         await app.StartAsync();
 
         Assert.True(app.Properties.ContainsKey("__AuthenticationMiddlewareSet"));
+
+        var options = app.Services.GetService<IOptionsMonitor<JwtBearerOptions>>().Get(JwtBearerDefaults.AuthenticationScheme);
+        Assert.Equal(new[] { "SomeIssuer" }, options.TokenValidationParameters.ValidIssuers);
+        Assert.Equal(new[] { "https://localhost:5001" }, options.TokenValidationParameters.ValidAudiences);
     }
 
     private HttpContext GetHttpContext(

src/Tools/dotnet-user-jwts/src/Commands/ClearCommand.cs

@@ -45,7 +45,7 @@ private static int Execute(IReporter reporter, string projectPath, bool force)
 
         if (!force)
         {
-            reporter.Output(Resources.ClearCommand_Permission);
+            reporter.Output(Resources.FormatClearCommand_Permission(count, project));
             reporter.Output("[Y]es / [N]o");
             if (Console.ReadLine().Trim().ToUpperInvariant() != "Y")
             {

src/Tools/dotnet-user-jwts/src/Helpers/JwtAuthenticationSchemeSettings.cs

@@ -10,6 +10,7 @@ namespace Microsoft.AspNetCore.Authentication.JwtBearer.Tools;
 internal sealed record JwtAuthenticationSchemeSettings(string SchemeName, List<string> Audiences, string ClaimsIssuer)
 {
     private const string AuthenticationKey = "Authentication";
+    private const string DefaultSchemeKey = "DefaultScheme";
     private const string SchemesKey = "Schemes";
 
     private static readonly JsonSerializerOptions _jsonSerializerOptions = new JsonSerializerOptions
@@ -35,7 +36,7 @@ public void Save(string filePath)
             {
                 // If a scheme with the same name has already been registered, we
                 // override with the latest token's options
-                schemes[SchemeName] = settingsObject;    
+                schemes[SchemeName] = settingsObject;
             }
             else
             {
@@ -56,6 +57,15 @@ public void Save(string filePath)
             };
         }
 
+        // Set the DefaultScheme if it has not already been set
+        // and only a single scheme has been configured thus far
+        if (config[AuthenticationKey][DefaultSchemeKey] is null
+            && config[AuthenticationKey][SchemesKey] is JsonObject setSchemes
+            && setSchemes.Count == 1)
+        {
+            config[AuthenticationKey][DefaultSchemeKey] = SchemeName;
+        }
+
         using var writer = new FileStream(filePath, FileMode.Open, FileAccess.Write);
         JsonSerializer.Serialize(writer, config, _jsonSerializerOptions);
     }
@@ -70,6 +80,11 @@ public static void RemoveScheme(string filePath, string name)
             authentication[SchemesKey] is JsonObject schemes)
         {
             schemes.Remove(name);
+            if (authentication[DefaultSchemeKey] is JsonValue defaultScheme
+                && defaultScheme.GetValue<string>() == name)
+            {
+                authentication.Remove(DefaultSchemeKey);
+            }
         }
 
         using var writer = new FileStream(filePath, FileMode.Create, FileAccess.Write);

src/Tools/dotnet-user-jwts/test/UserJwtsTestFixture.cs

@@ -62,7 +62,7 @@ public class UserJwtsTestFixture : IDisposable
   }
 }";
 
-    public string CreateProject(bool hasSecret = true)
+    public string CreateProject(bool hasSecret = true, string appSettingsContent = "{}")
     {
         var projectPath = Directory.CreateDirectory(Path.Combine(Path.GetTempPath(), "userjwtstest", Guid.NewGuid().ToString()));
         Directory.CreateDirectory(Path.Combine(projectPath.FullName, "Properties"));
@@ -81,7 +81,7 @@ public string CreateProject(bool hasSecret = true)
 
         File.WriteAllText(
             Path.Combine(projectPath.FullName, "appsettings.Development.json"),
-            "{}");
+            appSettingsContent);
 
         if (hasSecret)
         {

src/Tools/dotnet-user-jwts/test/UserJwtsTests.cs

@@ -67,15 +67,61 @@ public void Create_CreatesSecretOnNoSecretInproject()
     }
 
     [Fact]
-    public void Create_WritesGeneratedTokenToDisk()
+    public async Task Create_SetsDefaultSchemeIfNoOtherSchemesSet()
     {
         var project = Path.Combine(_fixture.CreateProject(), "TestProject.csproj");
-        var appsettings = Path.Combine(Path.GetDirectoryName(project), "appsettings.Development.json");
+        var appSettingsPath = Path.Combine(Path.GetDirectoryName(project), "appsettings.Development.json");
         var app = new Program(_console);
 
         app.Run(new[] { "create", "--project", project });
         Assert.Contains("New JWT saved", _console.GetOutput());
-        Assert.Contains("dotnet-user-jwts", File.ReadAllText(appsettings));
+
+        using FileStream openStream = File.OpenRead(appSettingsPath);
+        var appSettingsFile = await JsonSerializer.DeserializeAsync<JsonObject>(openStream);
+
+        Assert.True(appSettingsFile.TryGetPropertyValue("Authentication", out var authentication));
+        Assert.Equal("Bearer", authentication["DefaultScheme"].GetValue<string>());
+        Assert.Equal("dotnet-user-jwts", authentication["Schemes"]["Bearer"]["ClaimsIssuer"].GetValue<string>());
+    }
+
+    [Fact]
+    public async Task Create_DoesNotOverrideDefaultSchemeIfAlreadySet()
+    {
+        var project = Path.Combine(_fixture.CreateProject(
+            hasSecret: true,
+            appSettingsContent: @"{ ""Authentication"": { ""DefaultScheme"": ""foobar"" } }"), "TestProject.csproj");
+        var appSettingsPath = Path.Combine(Path.GetDirectoryName(project), "appsettings.Development.json");
+        var app = new Program(_console);
+
+        app.Run(new[] { "create", "--project", project });
+        Assert.Contains("New JWT saved", _console.GetOutput());
+
+        using FileStream openStream = File.OpenRead(appSettingsPath);
+        var appSettingsFile = await JsonSerializer.DeserializeAsync<JsonObject>(openStream);
+
+        Assert.True(appSettingsFile.TryGetPropertyValue("Authentication", out var authentication));
+        Assert.Equal("foobar", authentication["DefaultScheme"].GetValue<string>()); //foobar not Bearer
+        Assert.Equal("dotnet-user-jwts", authentication["Schemes"]["Bearer"]["ClaimsIssuer"].GetValue<string>());
+    }
+
+    [Fact]
+    public async Task Create_DoesNotSetDefaultSchemeIfMultipleSchemesConfigured()
+    {
+        var project = Path.Combine(_fixture.CreateProject(
+            hasSecret: true,
+            appSettingsContent: @"{ ""Authentication"": { ""Schemes"": { ""foobar"" : { } } } }"), "TestProject.csproj");
+        var appSettingsPath = Path.Combine(Path.GetDirectoryName(project), "appsettings.Development.json");
+        var app = new Program(_console);
+
+        app.Run(new[] { "create", "--project", project });
+        Assert.Contains("New JWT saved", _console.GetOutput());
+
+        using FileStream openStream = File.OpenRead(appSettingsPath);
+        var appSettingsFile = await JsonSerializer.DeserializeAsync<JsonObject>(openStream);
+
+        Assert.True(appSettingsFile.TryGetPropertyValue("Authentication", out var authentication));
+        Assert.Null(authentication["DefaultScheme"]); // Should not be set beause 2 schemes configured
+        Assert.Equal("dotnet-user-jwts", authentication["Schemes"]["Bearer"]["ClaimsIssuer"].GetValue<string>());
     }
 
     [Fact]
@@ -92,7 +138,6 @@ public void Print_ReturnsNothingForMissingToken()
     public void List_ReturnsIdForGeneratedToken()
     {
         var project = Path.Combine(_fixture.CreateProject(), "TestProject.csproj");
-        var appsettings = Path.Combine(Path.GetDirectoryName(project), "appsettings.Development.json");
         var app = new Program(_console);
 
         app.Run(new[] { "create", "--project", project, "--scheme", "MyCustomScheme" });
@@ -103,10 +148,10 @@ public void List_ReturnsIdForGeneratedToken()
     }
 
     [Fact]
-    public void Remove_RemovesGeneratedToken()
+    public async Task Remove_RemovesGeneratedToken()
     {
         var project = Path.Combine(_fixture.CreateProject(), "TestProject.csproj");
-        var appsettings = Path.Combine(Path.GetDirectoryName(project), "appsettings.Development.json");
+        var appSettingsPath = Path.Combine(Path.GetDirectoryName(project), "appsettings.Development.json");
         var app = new Program(_console);
 
         app.Run(new[] { "create", "--project", project });
@@ -115,16 +160,45 @@ public void Remove_RemovesGeneratedToken()
         app.Run(new[] { "create", "--project", project, "--scheme", "Scheme2" });
 
         app.Run(new[] { "remove", id, "--project", project });
-        var appsettingsContent = File.ReadAllText(appsettings);
-        Assert.DoesNotContain("Bearer", appsettingsContent);
-        Assert.Contains("Scheme2", appsettingsContent);
+
+        using FileStream openStream = File.OpenRead(appSettingsPath);
+        var appSettingsFile = await JsonSerializer.DeserializeAsync<JsonObject>(openStream);
+
+        Assert.True(appSettingsFile.TryGetPropertyValue("Authentication", out var authentication));
+        Assert.Null(authentication["Schemes"]["Bearer"]);
+        Assert.NotNull(authentication["Schemes"]["Scheme2"]);
+        Assert.Null(authentication["DefaultScheme"]);
+    }
+
+    [Fact]
+    public async Task Remove_DoesNotUnsetDefaultSchemeIfNoMatch()
+    {
+        var project = Path.Combine(_fixture.CreateProject(), "TestProject.csproj");
+        var appSettingsPath = Path.Combine(Path.GetDirectoryName(project), "appsettings.Development.json");
+        var app = new Program(_console);
+
+        app.Run(new[] { "create", "--project", project });
+        _console.ClearOutput();
+        app.Run(new[] { "create", "--project", project, "--scheme", "Scheme2" });
+        var matches = Regex.Matches(_console.GetOutput(), "New JWT saved with ID '(.*?)'");
+        var id = matches.SingleOrDefault().Groups[1].Value;
+
+        app.Run(new[] { "remove", id, "--project", project });
+
+        using FileStream openStream = File.OpenRead(appSettingsPath);
+        var appSettingsFile = await JsonSerializer.DeserializeAsync<JsonObject>(openStream);
+
+        Assert.True(appSettingsFile.TryGetPropertyValue("Authentication", out var authentication));
+        Assert.NotNull(authentication["Schemes"]["Bearer"]);
+        Assert.Null(authentication["Schemes"]["Scheme2"]);
+        Assert.NotNull(authentication["DefaultScheme"]); // We haven't removed the Bearer scheme so it's still the default
     }
 
     [Fact]
-    public void Clear_RemovesGeneratedTokens()
+    public async Task Clear_RemovesGeneratedTokens()
     {
         var project = Path.Combine(_fixture.CreateProject(), "TestProject.csproj");
-        var appsettings = Path.Combine(Path.GetDirectoryName(project), "appsettings.Development.json");
+        var appSettingsPath = Path.Combine(Path.GetDirectoryName(project), "appsettings.Development.json");
         var app = new Program(_console);
 
         app.Run(new[] { "create", "--project", project });
@@ -133,9 +207,14 @@ public void Clear_RemovesGeneratedTokens()
         Assert.Contains("New JWT saved", _console.GetOutput());
 
         app.Run(new[] { "clear", "--project", project, "--force" });
-        var appsettingsContent = File.ReadAllText(appsettings);
-        Assert.DoesNotContain("Bearer", appsettingsContent);
-        Assert.DoesNotContain("Scheme2", appsettingsContent);
+
+        using FileStream openStream = File.OpenRead(appSettingsPath);
+        var appSettingsFile = await JsonSerializer.DeserializeAsync<JsonObject>(openStream);
+
+        Assert.True(appSettingsFile.TryGetPropertyValue("Authentication", out var authentication));
+        Assert.Null(authentication["Schemes"]["Bearer"]);
+        Assert.Null(authentication["Schemes"]["Scheme2"]);
+        Assert.Null(authentication["DefaultScheme"]);
     }
 
     [Fact]