Support for custom authentication scheme without adding data protection

[brendonparker]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

I'd like to revisit this issue: #33779

If you are building a custom authentication scheme that doesn't need data protection, there is currently no way to add authentication without adding data protection services. This means that at startup, keys are generated and logging is created (if they aren't persisted or encrypted) - when it's completely unnecessary.

This is because inside Microsoft.Extensions.DependencyInjection.AuthenticationServiceCollectionExtensions the code looks like this:

public static AuthenticationBuilder AddAuthentication(this IServiceCollection services)
{
    services.AddAuthenticationCore();
    services.AddDataProtection();
    services.AddWebEncoders();
    services.TryAddSingleton<ISystemClock, SystemClock>();
    return new AuthenticationBuilder(services);
}

The call to AddDataProtection is added indiscriminately. From a developers point of view this can be worked around by replicating this code and the call to AddDataProtection() is removed:

    services.AddAuthenticationCore();
    services.AddWebEncoders();
    services.TryAddSingleton<ISystemClock, SystemClock>();
    var authBuilder = new AuthenticationBuilder(services);

But I expect this code to break in the future as it's not documented or supported.

As a possible solution maybe a new boolean property named RequiresDataProtection that defaults to true could be added to the AuthenticationOptions class, and if set to false, Data Protection is not added?

Describe the solution you'd like

A new boolean property on the AuthenticationOptions class that can optionally exclude the AddDataProtection API call.

Additional context

I'm running a simple stateless web api in an AWS Lambda function. As it stands, this results in a bunch of warning log messages occuring on every startup. Ideally this overhead doesn't take place at all, as I do not have the need for the DataProtection APIs.

[Tratcher]

Auth isn't the only component that requires data protection, it's also used by session, anti-forgery, and other components. Rather than tweaking each of these components to avoid adding the service, how about configuring data protection itself to turn off?

[brendonparker]

I’m only using JWT bearer. Not using session or anti-forgery. Not sure what the “other components” are.

how about configuring data protection itself to turn off?

I’m open to any more specifics on how to go about this.

[adityamandaleeka]

Triage: we should have a way to make data protection no-op safely (and anything that needed the data protection keys would throw).

This could be a sample.

[ghost]

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

[halter73]

While this was the original, I think much more of the discussion about this issue is now in #47410.