Make dynamic provider "signin" endpoint customizable

[geoffroybraun]

Hi,

first time posting here, I'll try to be as clear and precise as possible.

Context

I'm currently working on implementing the dynamic provider feature, which perfectly works BTW. This is following a first POC we designed a few months ago before actually engaging our development team on this feature implementation. The idea was basically to do everything we had to for dynamic providers to work without actually having everything in our databse, it was all in-memory.

Problem

At that time, because we did not use the dynamic providers feature, we missed the /federation/{my-oidc-provider}/signin required URI and asked our clients to configure another URI which was /signin-{my-oidc-provider}. Now that we are trying to fully use the feature, we have to create a fake endpoint /signin-{my-oidc-provider} which internally redirects to the hard-coded /federation/{my-oidc-provider}/signin URI.

Proposal

Within the DynamicSchemeAuthenticationMiddleware class which uses a DynamicProviderOptions instance, it will be helpful to make this hard-coded URI manageable from the options. They would look something like this:

public class DynamicProviderOptions
{
    public PathString PathPrefix { get; set; } = "/federation";

    public Regex? PathExpression { get; set; }
}

With the new PathExpression property, the middleware would now be able to choose whether to use the prefix or the expression as explained below:

class DynamicAuthenticationSchemeMiddleware(IOptionsMonitor<TestDynamicProviderOptions> options) : IMiddleware
{
    public async Task InvokeAsync(HttpContext context, RequestDelegate next)
    {
        if (options.CurrentValue.PathExpression is not null)
        {
            var match = options.CurrentValue.PathExpression?.Match(context.Request.Path);

            if (match?.Success == true)
            {
                // this assumes the expression contains a group named 'provider'
                // allowing the middleware to retrieve the scheme
                // e.g.: \/federation\/(?<provider>([\w-]+))\/signin
                var scheme = match.Groups["provider"].Value;

                if (!string.IsNullOrEmpty(scheme))
                {
                    var handlers = context.RequestServices.GetRequiredService<IAuthenticationHandlerProvider>();
                    var handler = await handlers.GetHandlerAsync(context, scheme) as IAuthenticationRequestHandler;
                    if (handler != null && await handler.HandleRequestAsync())
                    {
                        return;
                    }
                }
            }
        }
        else
        {
            var startIndex = options.CurrentValue.PathPrefix.ToString().Length;
            if (context.Request.Path.Value.Length > startIndex)
            {
                var scheme = context.Request.Path.Value.Substring(startIndex + 1);
                var idx = scheme.IndexOf('/');
                if (idx > 0)
                {
                    // this assumes the path is: /<PathPrefix>/<scheme>/<extra>
                    // e.g.: /federation/my-oidc-provider/signin
                    scheme = scheme.Substring(0, idx);
                }

                var handlers = context.RequestServices.GetRequiredService<IAuthenticationHandlerProvider>();
                var handler = await handlers.GetHandlerAsync(context, scheme) as IAuthenticationRequestHandler;
                if (handler != null && await handler.HandleRequestAsync())
                {
                    return;
                }
            }
        }

        await next(context);
    }
}

In our case, we would define the dynamic providers options like this:

builder.Services.AddIdentityServer(options => {
    options.DynamicProviders.PathExpression = "\/signin-(?<provider>([\w-]+))";
});

Documentation

As the options are already described in the documentation, we simply have to explain this optional behavior.

DynamicProviderOptions

[...]
However, if you wish to fully customize the callback path, you can use the PathExpression property and provide a regular expression that contains a providergroup allowing the server to know where to find the provider name within the current path.

builder.Services
   .AddIdentityServer(options => 
   {
       // ...

        options.DynamicProviders.PathExpression = "\/auth\/signin\/(?<provider>([\w-]+))"

       // ....
   })

Please let me know if you think this suggestion merits further consideration, or if it is not acceptable to you for any reason.

Cheers,

Geoffroy

[AndersAbel]

The requirement for a specific hard coded path patterns is indeed causing issues for many customers. While you are the first to open a request for it, I've seen similar needs in the past.

Instead of introducing a RegEx, I would suggest adding a callback instead. Anyone who wants can implement the callback as a regex, but it also enables other behaviours, including querying a datastore/cache.

[josephdecock]

Hi @geoffroybraun. We'll consider increasing the flexibility of the callback paths in a future release - either with a regex as your suggest, or possibly with a callback as Anders described. In the short term, one strategy that often works pretty well if you're transitioning to dynamic providers is to keep your existing providers that you don't want to change the urls for configured statically, but then have new external providers added to the dynamic providers.