Is order of multiple IAuthProviders significant in any way?

janand · June 14, 2019, 1:32pm

We have services protected by AuthenticateAttribute and we have multiple custom IAuthProviders registered. Each with its own override of IsAuthorized.

The AuthenticateAttribute triggers a call to IsAuthorized, but for which IAuthProvider?
Based on my experiments this is determined by the order in which they are registered. Is this correct?

For example, would the following would mean that MyCustomApiKeyAuthProvide.IsAuthorized will be triggered by the AuthenticateAttribute?

Plugins.Add(new AuthFeature(..., 
    new IAuthProvider[] {
        new MyCustomApiKeyAuthProvider(),
        new MyCustomCredentialsAuthProvider()
     }));

Kind Regards
Anders

mythz · June 14, 2019, 4:08pm

IsAuthorized() should be called for all registered Auth Providers:

github.com

ServiceStack/ServiceStack/blob/f9161fdd8d1fea2f37c6b00295f79dc49c3d3cd1/src/ServiceStack/AuthenticateAttribute.cs#L78


    }
    
    req.PopulateFromRequestIfHasSessionId(requestDto);


    PreAuthenticate(req, authProviders);


    if (res.IsClosed)
        return;


    var session = req.GetSession();
    if (session == null || !authProviders.Any(x => session.IsAuthorized(x.Provider)))
    {
        if (this.DoHtmlRedirectIfConfigured(req, res, true))
            return;


        await AuthProvider.HandleFailedAuth(authProviders[0], session, req, res);
    }
}


internal static void PreAuthenticate(IRequest req, IEnumerable<IAuthProvider> authProviders)
{

The one time when it is significant is when calling /auth/logout which calls the first registered AuthProvider Logout() API, but this is typically rarely overridden so just ends up calling the base AuthProvider Logout() implementation.