Skip to content

Reject unauthenticated requests when no credentials are configured#530

Merged
corinagum merged 1 commit into
mainfrom
cg/auth-no-creds
May 27, 2026
Merged

Reject unauthenticated requests when no credentials are configured#530
corinagum merged 1 commit into
mainfrom
cg/auth-no-creds

Conversation

@corinagum
Copy link
Copy Markdown
Collaborator

@corinagum corinagum commented May 27, 2026

Summary

AddTeamsTokenAuthentication currently engages the RequireAssertion(_ => true) bypass policy whenever skipAuth: true is passed or the configured ClientId is empty. That means an empty ClientId silently disables auth for any deployment that forgot to set credentials, with no opt-in.

This change splits the condition: skipAuth: true still bypasses, but a missing ClientId without skipAuth now fails closed (RequireAssertion(_ => false)). Callers that intentionally want unauthenticated local development pass skipAuth: true to AddTeams(...).

Aligns with the equivalent change in TypeScript (microsoft/teams.ts#506) and Python (microsoft/teams.py#360).

Test plan

  • Existing test suite passes
  • Add a test asserting requests are rejected (401/403) when ClientId is empty and skipAuth is not set
  • Add a test asserting requests still bypass when skipAuth: true is explicitly passed with empty ClientId
  • Manual: run a sample with no credentials configured and confirm requests now fail closed unless skipAuth: true is set

@corinagum
Reject unauthenticated requests when no credentials are configured
248656b 
Previously, an empty ClientId silently triggered the bypass policy
alongside the explicit skipAuth opt-in. That left unauthenticated
requests accepted by default for any deployment that forgot to
configure credentials.

Splits the condition: skipAuth still bypasses, but a missing ClientId
without skipAuth now fails closed. Callers that intentionally want
the bypass (local dev without credentials) pass skipAuth: true to
AddTeams(...).
@corinagum corinagum marked this pull request as ready for review May 27, 2026 17:21
Copilot AI review requested due to automatic review settings May 27, 2026 17:21
Copilot AI reviewed May 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR changes the ASP.NET Core Teams token auth policy configuration to fail closed when no Teams credentials are configured, instead of silently bypassing auth when ClientId is missing. This aligns the .NET behavior with the referenced TypeScript/Python changes and prevents accidentally deploying with authentication disabled due to missing configuration.

Changes:

  • Split the existing “bypass auth” condition so that only skipAuth: true bypasses authorization.
  • When Teams:ClientId is empty and skipAuth is not set, configure the policy to reject all requests.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread ...rosoft.Teams.Plugins/Microsoft.Teams.Plugins.AspNetCore/Extensions/HostApplicationBuilder.cs
Comment thread ...rosoft.Teams.Plugins/Microsoft.Teams.Plugins.AspNetCore/Extensions/HostApplicationBuilder.cs
@corinagum corinagum added this pull request to the merge queue May 27, 2026
Merged via the queue into main with commit db32621 May 27, 2026
11 checks passed
@corinagum corinagum deleted the cg/auth-no-creds branch May 27, 2026 20:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@singhk97 singhk97 singhk97 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@corinagum @singhk97