[Discussion] Single authentication scheme is treated as default scheme

[captainsafia]

Starting in .NET 7 Preview 7, we introduced new behavior in the authentication area in ASP.NET Core to reduce boilerplate and help build sensible defaults into ASP.NET Core.

Previously, users were always required to set the default authentication scheme that would be used by authentication and authorization handlers, like so:

builder.Services.AddAuthentication("MyDefaultScheme");

Moving forward, when (and only when) a single authentication scheme is registered, that scheme will be treated as the default scheme. For example, "foobar" will be treated as the default scheme in the code below.

builder.Services.AddAuthentication().AddOAuth("foobar");

This change might expose unintended behavior changes in applications, such as authentication options being validated earlier than expected.

[WeihanLi]

What if we had multi auth schema but no default schema registered, would it use the first or the last as the default schema?

For example:

services.AddAuthentication()
    .AddBasic()
    .AddJwtBearer()
    .AddCookie();

[fowl2]

I'm assuming this is part of the overall effort to reduce boilerplate?

Even if it's "obvious" I think it's worth including an explicit motivation in announcements like this, so we know 'why' we're potentially breaking someone :)

[captainsafia]

What if we had multi auth schema but no default schema registered, would it use the first or the last as the default schema?

In this case, no default schema is set. This rule only applies when a single schema is registered.

I'm assuming this is part of the overall effort to reduce boilerplate?

Yep.

Even if it's "obvious" I think it's worth including an explicit motivation in announcements like this, so we know 'why' we're potentially breaking someone :)

Good feedback!

[poke]

I think this is a good change which should help to reduce some of the confusion which occurs from “magic defaults”. Thanks! 😊