Azure · sander1095 · Mar 3, 2025 · Mar 3, 2025 · Mar 3, 2025 · Mar 3, 2025
@@ -299,9 +299,13 @@ public void EnsureFailureOnReInitializingExistingConfig()
         /// </summary>
         [DataTestMethod]
         [DataRow("StaticWebApps", null, null, DisplayName = "StaticWebApps with no audience and no issuer specified.")]
+        [DataRow("None", null, null, DisplayName = "None with no audience and no issuer specified.")]
+        [DataRow("EasyAuth", null, null, DisplayName = "EasyAuth with no audience and no issuer specified.")]
         [DataRow("AppService", null, null, DisplayName = "AppService with no audience and no issuer specified.")]
         [DataRow("Simulator", null, null, DisplayName = "Simulator with no audience and no issuer specified.")]
         [DataRow("AzureAD", "aud-xxx", "issuer-xxx", DisplayName = "AzureAD with both audience and issuer specified.")]
+        [DataRow("EntraId", "aud -xxx", "issuer-xxx", DisplayName = "EntraId with both audience and issuer specified.")]
+        [DataRow("OAuth", "aud -xxx", "issuer-xxx", DisplayName = "OAuth with both audience and issuer specified.")]
         public Task EnsureCorrectConfigGenerationWithDifferentAuthenticationProviders(
             string authenticationProvider,
             string? audience,
@@ -426,7 +430,7 @@ public Task GraphQLPathWithoutStartingSlashWillHaveItAdded()
         ///
         ///      b. When --graphql.multiple-create.enabled option is not used
         ///           - In this case, fields related to multiple mutation and multiple create operations will NOT be written to the config file.
-        /// 
+        ///
         /// </summary>
         [DataTestMethod]
         [DataRow(DatabaseType.MSSQL, CliBool.True, DisplayName = "Init command with '--graphql.multiple-create.enabled true' for MsSQL database type")]
@@ -453,7 +457,7 @@ public Task VerifyCorrectConfigGenerationWithMultipleMutationOptions(DatabaseTyp
 
             if (databaseType is DatabaseType.CosmosDB_NoSQL)
             {
-                // A schema file is added since its mandatory for CosmosDB_NoSQL 
+                // A schema file is added since its mandatory for CosmosDB_NoSQL
                 ((MockFileSystem)_fileSystem!).AddFile(TEST_SCHEMA_FILE, new MockFileData(""));
 
                 options = new(

@@ -175,6 +175,84 @@ public static Process ExecuteDabCommand(string command, string flags)
               }
           }";
 
+        /// <summary>
+        /// Only Runtime section containing both rest and graphql enabled, with None authentication.
+        /// </summary>
+        public const string RUNTIME_SECTION_NONE_AUTHENTICATION = @"
+          ""runtime"": {
+              ""rest"": {
+                  ""path"": ""/api"",
+                  ""enabled"": true
+              },
+              ""graphql"": {
+                  ""path"": ""/graphql"",
+                  ""enabled"": true,
+                  ""allow-introspection"": true
+              },
+              ""host"": {
+                  ""mode"": ""development"",
+                  ""cors"": {
+                      ""origins"": [],
+                      ""allow-credentials"": false
+                  },
+                  ""authentication"": {
+                      ""provider"": ""None""
+                  }
+              }
+          }";
+
+        /// <summary>
+        /// Only Runtime section containing both rest and graphql enabled, with EasyAuth authentication.
+        /// </summary>
+        public const string RUNTIME_SECTION_EASYAUTH_AUTHENTICATION = @"
+          ""runtime"": {
+              ""rest"": {
+                  ""path"": ""/api"",
+                  ""enabled"": true
+              },
+              ""graphql"": {
+                  ""path"": ""/graphql"",
+                  ""enabled"": true,
+                  ""allow-introspection"": true
+              },
+              ""host"": {
+                  ""mode"": ""development"",
+                  ""cors"": {
+                      ""origins"": [],
+                      ""allow-credentials"": false
+                  },
+                  ""authentication"": {
+                      ""provider"": ""EasyAuth""
+                  }
+              }
+          }";
+
+        /// <summary>
+        /// Only Runtime section containing both rest and graphql enabled. The authentication provider can be replaced with <>.
+        /// </summary>
+        public const string RUNTIME_SECTION_JWT_AUTHENTICATION_PLACEHOLDER = @"
+          ""runtime"": {
+              ""rest"": {
+                  ""path"": ""/api"",
+                  ""enabled"": true
+              },
+              ""graphql"": {
+                  ""path"": ""/graphql"",
+                  ""enabled"": true,
+                  ""allow-introspection"": true
+              },
+              ""host"": {
+                  ""mode"": ""development"",
+                  ""cors"": {
+                      ""origins"": [],
+                      ""allow-credentials"": false
+                  },
+                  ""authentication"": {
+                      ""provider"": ""<>""
+                  }
+              }
+          }";
+
         /// <summary>
         /// Configuration with unresolved environment variable references on
         /// properties of various data types (string, enum, bool, int).

@@ -145,6 +145,79 @@ public void TestValidateConfigFailsWithInvalidGraphQLDepthLimit(object? depthLim
         }
     }
 
+    /// <summary>
+    /// This Test is used to verify that the None authentication scheme is valid
+    /// </summary>
+    [TestMethod]
+    public void TestEasyAuthIsValidAuthenticationProvider()
+    {
+        string ConfigWithNoneAuthentication = $"{{{SAMPLE_SCHEMA_DATA_SOURCE}, {RUNTIME_SECTION_EASYAUTH_AUTHENTICATION}, \"entities\": {{ }}}}";
+
+        // create an empty config file
+        ((MockFileSystem)_fileSystem!).AddFile(TEST_RUNTIME_CONFIG_FILE, ConfigWithNoneAuthentication);
+
+        ValidateOptions validateOptions = new(TEST_RUNTIME_CONFIG_FILE);
+
+        try
+        {
+            Assert.IsTrue(ConfigGenerator.IsConfigValid(validateOptions, _runtimeConfigLoader!, _fileSystem!));
+        }
+        catch (Exception ex)
+        {
+            Assert.Fail($"Unexpected Exception thrown: {ex.Message}");
+        }
+    }
+
+    /// <summary>
+    /// This Test is used to verify that the None authentication scheme is valid
+    /// </summary>
+    [TestMethod]
+    public void TestNoneIsValidAuthenticationProvider()
+    {
+        string ConfigWithNoneAuthentication = $"{{{SAMPLE_SCHEMA_DATA_SOURCE}, {RUNTIME_SECTION_NONE_AUTHENTICATION}, \"entities\": {{ }}}}";
+
+        // create an empty config file
+        ((MockFileSystem)_fileSystem!).AddFile(TEST_RUNTIME_CONFIG_FILE, ConfigWithNoneAuthentication);
+
+        ValidateOptions validateOptions = new(TEST_RUNTIME_CONFIG_FILE);
+
+        try
+        {
+            Assert.IsTrue(ConfigGenerator.IsConfigValid(validateOptions, _runtimeConfigLoader!, _fileSystem!));
+        }
+        catch (Exception ex)
+        {
+            Assert.Fail($"Unexpected Exception thrown: {ex.Message}");
+        }
+    }
+
+    /// <summary>
+    /// This Test is used to verify that the JWT properties must be added when the authentication scheme is Not easyAuth and not Simulator.
+    /// </summary>
+    [DataTestMethod]
+    [DataRow("AzureAD")]
+    [DataRow("EntraID")]
+    [DataRow("OAuth")]
+    public void TestMissingJwtProperties(string authScheme)
+    {
+        string ConfigWithJwtAuthentication = $"{{{SAMPLE_SCHEMA_DATA_SOURCE}, {RUNTIME_SECTION_JWT_AUTHENTICATION_PLACEHOLDER}, \"entities\": {{ }}}}";
+        ConfigWithJwtAuthentication = ConfigWithJwtAuthentication.Replace("<>", authScheme, StringComparison.OrdinalIgnoreCase);
+
+        // create an empty config file
+        ((MockFileSystem)_fileSystem!).AddFile(TEST_RUNTIME_CONFIG_FILE, ConfigWithJwtAuthentication);
+
+        ValidateOptions validateOptions = new(TEST_RUNTIME_CONFIG_FILE);
+
+        try
+        {
+            Assert.IsFalse(ConfigGenerator.IsConfigValid(validateOptions, _runtimeConfigLoader!, _fileSystem!));
+        }
+        catch (Exception ex)
+        {
+            Assert.Fail($"Unexpected Exception thrown: {ex.Message}");
+        }
+    }
+
     /// <summary>
     /// This Test is used to verify that the validate command is able to catch when data source field or entities field is missing.
     /// </summary>

diff --git a/src/Cli/ConfigGenerator.cs b/src/Cli/ConfigGenerator.cs
@@ -222,9 +222,9 @@ public static bool TryCreateRuntimeConfig(InitOptions options, FileSystemRuntime
 
             if (runtimeBaseRoute is not null)
             {
-                if (!Enum.TryParse(options.AuthenticationProvider, ignoreCase: true, out EasyAuthType authMode) || authMode is not EasyAuthType.StaticWebApps)
+                if (!Enum.TryParse(options.AuthenticationProvider, ignoreCase: true, out EasyAuthType authMode) || authMode is not EasyAuthType.StaticWebApps or EasyAuthType.EasyAuth or EasyAuthType.None)
                 {
-                    _logger.LogError("Runtime base-route can only be specified when the authentication provider is Static Web Apps.");
+                    _logger.LogError("Runtime base-route can only be specified when the authentication provider is Static Web Apps, EasyAuth or None.");
                     return false;
                 }
             }

diff --git a/src/Config/ObjectModel/EasyAuthType.cs b/src/Config/ObjectModel/EasyAuthType.cs
@@ -6,5 +6,15 @@ namespace Azure.DataApiBuilder.Config.ObjectModel;
 public enum EasyAuthType
 {
     StaticWebApps,
-    AppService
+    AppService,
+
+    /// <summary>
+    /// A synonym for <see cref="StaticWebApps"/>
+    /// </summary>
+    EasyAuth,
+
+    /// <summary>
+    /// Another synonym for <see cref="StaticWebApps"/>, like <see cref="EasyAuth"/>
+    /// </summary>
+    None
 }
diff --git a/src/Core/AuthenticationHelpers/ClientRoleHeaderAuthenticationMiddleware.cs b/src/Core/AuthenticationHelpers/ClientRoleHeaderAuthenticationMiddleware.cs
@@ -179,8 +179,13 @@ public static bool IsSystemRole(string roleName)
     /// <returns>Authentication Scheme</returns>
     private static string ResolveConfiguredAuthNScheme(string? configuredProviderName)
     {
+        // TODO: Jerry Nixon says that EASY_AUTH is also a synonym for STATIC_WEB_APPS/APP_SERVICE/NONE in DAB.
+        // But as far as I know, EASY_AUTH is an abstraction on the auth schemes that SWA/AS use.
+        // So the question is: Is this IF statement still correct now that I added EASY_AUTH to it? It would now default to SWA auth.
         if (string.IsNullOrWhiteSpace(configuredProviderName)
-            || string.Equals(configuredProviderName, SupportedAuthNProviders.STATIC_WEB_APPS, StringComparison.OrdinalIgnoreCase))
+            || string.Equals(configuredProviderName, SupportedAuthNProviders.STATIC_WEB_APPS, StringComparison.OrdinalIgnoreCase)
+            || string.Equals(configuredProviderName, SupportedAuthNProviders.EASY_AUTH, StringComparison.OrdinalIgnoreCase)
+            || string.Equals(configuredProviderName, SupportedAuthNProviders.NONE, StringComparison.OrdinalIgnoreCase))
         {
             return EasyAuthAuthenticationDefaults.SWAAUTHSCHEME;
         }
@@ -193,7 +198,8 @@ private static string ResolveConfiguredAuthNScheme(string? configuredProviderNam
             return SimulatorAuthenticationDefaults.AUTHENTICATIONSCHEME;
         }
         else if (string.Equals(configuredProviderName, SupportedAuthNProviders.AZURE_AD, StringComparison.OrdinalIgnoreCase) ||
-            string.Equals(configuredProviderName, SupportedAuthNProviders.ENTRA_ID, StringComparison.OrdinalIgnoreCase))
+            string.Equals(configuredProviderName, SupportedAuthNProviders.ENTRA_ID, StringComparison.OrdinalIgnoreCase) ||
+            string.Equals(configuredProviderName, SupportedAuthNProviders.OAUTH, StringComparison.OrdinalIgnoreCase))
         {
             return JwtBearerDefaults.AuthenticationScheme;
         }

diff --git a/src/Core/AuthenticationHelpers/ConfigureJwtBearerOptions.cs b/src/Core/AuthenticationHelpers/ConfigureJwtBearerOptions.cs
@@ -59,6 +59,10 @@ public void Configure(string? name, JwtBearerOptions options)
             RoleClaimType = AuthenticationOptions.ROLE_CLAIM_TYPE
         };
 
+        // TODO: The PR says "This (OAuth) also opens up a future direction should we need to handle special cases with EntraId."
+        // This would be the case here. Currently, OAuth should just be a synonym for AzureAD/EntraID.
+        // But that doesn't make sense, because adding an OR statement for OAUth would be a behavioural change.
+        // What do we do here?
         if (newAuthOptions.Provider.Equals("AzureAD") || newAuthOptions.Provider.Equals("EntraID"))
         {
             // Enables the validation of the issuer of the signing keys

diff --git a/src/Core/AuthenticationHelpers/EasyAuthAuthenticationBuilderExtensions.cs b/src/Core/AuthenticationHelpers/EasyAuthAuthenticationBuilderExtensions.cs
@@ -27,7 +27,10 @@ public static AuthenticationBuilder AddEasyAuthAuthentication(
             throw new ArgumentNullException(nameof(builder));
         }
 
-        if (easyAuthAuthenticationProvider is EasyAuthType.StaticWebApps)
+        // TODO: Same question as in ClientRoleHeaderAuthenticationMiddleware. Jerry Nixon says that EASY_AUTH is also a synonym for STATIC_WEB_APPS/APP_SERVICE/NONE in DAB.
+        // But as far as I know, EASY_AUTH is an abstraction on the auth schemes that SWA/AS use.
+        // So the question is: Is this IF statement still correct now that I added EASY_AUTH to it? It would now default to SWA auth.
+        if (easyAuthAuthenticationProvider is EasyAuthType.StaticWebApps or EasyAuthType.EasyAuth or EasyAuthType.None)
         {
             builder.AddScheme<EasyAuthAuthenticationOptions, EasyAuthAuthenticationHandler>(
                 authenticationScheme: EasyAuthAuthenticationDefaults.SWAAUTHSCHEME,

@@ -68,6 +68,8 @@ protected override Task<AuthenticateResult> HandleAuthenticateAsync()
             {
                 EasyAuthType.StaticWebApps => StaticWebAppsAuthentication.Parse(Context, Logger),
                 EasyAuthType.AppService => AppServiceAuthentication.Parse(Context, Logger),
+                EasyAuthType.EasyAuth => StaticWebAppsAuthentication.Parse(Context, Logger), // TODO: Is this correct?
+                EasyAuthType.None => StaticWebAppsAuthentication.Parse(Context, Logger),
                 _ => null
             };
 
@@ -92,7 +94,7 @@ protected override Task<AuthenticateResult> HandleAuthenticateAsync()
             if (claimsPrincipal is not null)
             {
                 // AuthenticationTicket is Asp.Net Core Abstraction of Authentication information
-                // Ref: aspnetcore/src/Http/Authentication.Abstractions/src/AuthenticationTicket.cs 
+                // Ref: aspnetcore/src/Http/Authentication.Abstractions/src/AuthenticationTicket.cs
                 AuthenticationTicket ticket = new(claimsPrincipal, EasyAuthAuthenticationDefaults.AUTHENTICATIONSCHEME);
                 AuthenticateResult success = AuthenticateResult.Success(ticket);
                 return Task.FromResult(success);

@@ -6,9 +6,15 @@ namespace Azure.DataApiBuilder.Core.AuthenticationHelpers;
 internal static class SupportedAuthNProviders
 {
     public const string APP_SERVICE = "AppService";
+
     public const string AZURE_AD = "AzureAD";
     public const string ENTRA_ID = "EntraID";
+    public const string OAUTH = "OAuth";
+
     public const string GENERIC_OAUTH = "Custom";
     public const string SIMULATOR = "Simulator";
+
     public const string STATIC_WEB_APPS = "StaticWebApps";
+    public const string EASY_AUTH = "EasyAuth";
+    public const string NONE = "None";
 }
diff --git a/src/Service.Tests/Authentication/EasyAuthAuthenticationUnitTests.cs b/src/Service.Tests/Authentication/EasyAuthAuthenticationUnitTests.cs
@@ -142,10 +142,12 @@ public async Task TestInvalidAppServiceEasyAuthToken(string easyAuthPayload)
         /// a correctly configured EasyAuth environment guarantees that only authenticated requests
         /// will contain an EasyAuth header.
         /// </summary>
-        /// <param name="easyAuthType">AppService/StaticWebApps</param>
+        /// <param name="easyAuthType">AppService/StaticWebApps/EasyAuth/None</param>
         [DataTestMethod]
         [DataRow(EasyAuthType.AppService)]
         [DataRow(EasyAuthType.StaticWebApps)]
+        [DataRow(EasyAuthType.EasyAuth)]
+        [DataRow(EasyAuthType.None)]
         public async Task TestMissingEasyAuthHeader(EasyAuthType easyAuthType)
         {
             HttpContext postMiddlewareContext = await SendRequestAndGetHttpContextState(token: null, easyAuthType);
@@ -156,21 +158,27 @@ public async Task TestMissingEasyAuthHeader(EasyAuthType easyAuthType)
         }
 
         /// <summary>
-        /// Ensures a valid StaticWebApps EasyAuth header/value does NOT result in HTTP 401 Unauthorized response.
+        /// Ensures a valid EasyAuth header/value does NOT result in HTTP 401 Unauthorized response.
         /// 403 is okay, as it indicates authorization level failure, not authentication.
         /// When an authorization header is sent, it contains an invalid value, if the runtime returns an error
         /// then there is improper JWT validation occurring.
         /// </summary>
         [DataTestMethod]
-        [DataRow(false, true, DisplayName = "Valid StaticWebApps EasyAuth header only")]
-        [DataRow(true, true, DisplayName = "Valid StaticWebApps EasyAuth header and authorization header")]
+        [DataRow(EasyAuthType.StaticWebApps, false, true, DisplayName = "Valid EasyAuth (Static Web Apps) header only")]
+        [DataRow(EasyAuthType.StaticWebApps, true, true, DisplayName = "Valid EasyAuth (Static Web Apps) header and authorization header")]
+        [DataRow(EasyAuthType.AppService, false, true, DisplayName = "Valid EasyAuth (App Service) header only")]
+        [DataRow(EasyAuthType.AppService, true, true, DisplayName = "Valid EasyAuth (App Service) header and authorization header")]
+        [DataRow(EasyAuthType.None, false, true, DisplayName = "Valid EasyAuth (None) header only")]
+        [DataRow(EasyAuthType.None, true, true, DisplayName = "Valid EasyAuth (None) header and authorization header")]
+        [DataRow(EasyAuthType.EasyAuth, false, true, DisplayName = "Valid EasyAuth header only")]
+        [DataRow(EasyAuthType.EasyAuth, true, true, DisplayName = "Valid EasyAuth header and authorization header")]
         [TestMethod]
-        public async Task TestValidStaticWebAppsEasyAuthToken(bool sendAuthorizationHeader, bool addAuthenticated)
+        public async Task TestValidNoneEasyAuthToken(EasyAuthType easyAuthType, bool sendAuthorizationHeader, bool addAuthenticated)
         {
             string generatedToken = AuthTestHelper.CreateStaticWebAppsEasyAuthToken(addAuthenticated);
             HttpContext postMiddlewareContext = await SendRequestAndGetHttpContextState(
                 generatedToken,
-                EasyAuthType.StaticWebApps,
+                easyAuthType,
                 sendAuthorizationHeader);
             Assert.IsNotNull(postMiddlewareContext.User.Identity);
             Assert.IsTrue(postMiddlewareContext.User.Identity.IsAuthenticated);