Introduce new authentication provider Unauthenticated as the default

[Copilot]

Why make this change?

New authentication provider where all operations run as anonymous. Useful when DAB is behind an app gateway or APIM where authentication is handled externally. This provider is now the default when executing dab init without an explicit --auth.provider flag.

What is this change?

Core Implementation:

• Added IsUnauthenticatedAuthenticationProvider() to AuthenticationOptions.cs
• Created UnauthenticatedAuthenticationHandler in UnauthenticatedAuthentication folder (follows Simulator pattern, returns unauthenticated ClaimsPrincipal)
• Updated Startup.cs to register the provider in both ConfigureAuthentication() and ConfigureAuthenticationV2()
• Added explicit mapping in ClientRoleHeaderAuthenticationMiddleware.ResolveConfiguredAuthNScheme() for proper scheme selection at request time

CLI & Validation:

• Changed default authentication provider from AppService to Unauthenticated for dab init
• Updated Utils.ValidateAudienceAndIssuerForJwtProvider() to accept Unauthenticated without JWT
• Added single general warning in ConfigGenerator.IsConfigValid() when used with authenticated/custom roles (not an error)
• Updated help text in ConfigureOptions.cs to reflect new default

Schema:

• Added Unauthenticated to dab.draft.schema.json provider enum

Key behaviors:

• Now the default provider when dab init is executed without --auth.provider
• Allowed in production mode (unlike Simulator)
• Allowed with authenticated/custom role permissions (warning emitted)
• No JWT configuration required

How was this tested?

• Integration Tests
• Unit Tests
  • ValidateUnauthenticatedProviderIdentification test in AuthenticationConfigValidatorUnitTests.cs
  • Unauthenticated test cases in TestValidateAudienceAndIssuerForAuthenticationProvider (UtilsTests.cs)
  • Unauthenticated test case in TestBaseRouteIsConfigurableForSWA (EndToEndTests.cs)
  • Unauthenticated test case in TestUpdateAuthenticationProviderHostSettings (ConfigureOptionsTests.cs)
  • Snapshot test for config generation with Unauthenticated provider

Sample Request(s)

# Now defaults to Unauthenticated provider
dab init --database-type mssql --connection-string "..."

# Explicit Unauthenticated provider
dab init --database-type mssql --connection-string "..." --auth.provider Unauthenticated

# Explicit AppService provider (previous default)
dab init --database-type mssql --connection-string "..." --auth.provider AppService

dab configure --runtime.host.authentication.provider Unauthenticated

Config snippet:

{
  "runtime": {
    "host": {
      "authentication": {
        "provider": "Unauthenticated"
      }
    }
  }
}

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

Introduces a new Unauthenticated authentication provider intended to treat all requests as anonymous without requiring JWT configuration.

Changes:

• Added an Unauthenticated ASP.NET Core auth handler/scheme and wired it into Startup auth registration paths.
• Updated CLI validation and config validation logic to allow Unauthenticated without JWT (with warnings for non-anonymous role permissions).
• Extended schema and CLI tests/snapshots to include the new provider.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
src/Service/Startup.cs	Registers the Unauthenticated auth scheme in both auth configuration paths.
src/Core/AuthenticationHelpers/UnauthenticatedAuthenticationHandler/UnauthenticatedAuthenticationHandler.cs	New auth handler that yields an anonymous principal.
src/Core/AuthenticationHelpers/UnauthenticatedAuthenticationHandler/UnauthenticatedAuthenticationDefaults.cs	Defines the scheme name constants for the new provider.
src/Core/AuthenticationHelpers/UnauthenticatedAuthenticationHandler/UnauthenticatedAuthenticationBuilderExtensions.cs	Adds an AuthenticationBuilder extension to register the new scheme.
src/Core/AuthenticationHelpers/SupportedAuthNProviders.cs	Adds Unauthenticated to the supported provider constants.
src/Config/ObjectModel/AuthenticationOptions.cs	Adds provider detection helper and updates JWT-required determination logic.
src/Cli/Utils.cs	Allows Unauthenticated to omit JWT audience/issuer and updates messaging.
src/Cli/ConfigGenerator.cs	Emits a warning when Unauthenticated is used with non-anonymous permissions.
src/Cli.Tests/ValidateConfigTests.cs	Adds unit tests for Unauthenticated provider helper methods.
src/Cli.Tests/Snapshots/InitTests.EnsureCorrectConfigGenerationWithDifferentAuthenticationProviders_47836da0dfbdc458.verified.txt	Updates snapshot for config generation using Unauthenticated.
src/Cli.Tests/InitTests.cs	Adds Unauthenticated as a test case for init/config generation.
schemas/dab.draft.schema.json	Adds Unauthenticated to the provider enum and documents it.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[JerryNixon]

@copilot apply changes based on the comments in this thread

[RubenCerna2079]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 6 pipeline(s).

[JerryNixon]

@RubenCerna2079 you will need to help here and resolve the integration test errs for me.

[RubenCerna2079]

Why do we need to add UnauthenticatedAuthenticationDefaults.AUTHENTICATIONSCHEME for the AuthenticationTicket if the in the ClaimsIdentity we don't use it since it is an unauthenticated user?

[Copilot]

The AuthenticationTicket requires a scheme name as part of the ASP.NET Core authentication infrastructure. While the ClaimsIdentity has no authenticationType (making it unauthenticated), the ticket still needs to identify which authentication handler processed the request. This follows the same pattern as SimulatorAuthenticationHandler.

[RubenCerna2079]

Missing tests for the following test methods

• TestValidateAudienceAndIssuerForAuthenticationProvider in UtilTests.cs
• TestBaseRouteIsConfigurableForSWA in EndToEndTests.cs
• TestUpdateAuthenticationProviderHostSettings in ConfigureOptionsTests.cs

[RubenCerna2079]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 6 pipeline(s).

[Copilot]

Missing tests for the following test methods

• TestValidateAudienceAndIssuerForAuthenticationProvider in UtilTests.cs
• TestBaseRouteIsConfigurableForSWA in EndToEndTests.cs
  ...

Added in f0b25d0:

• TestValidateAudienceAndIssuerForAuthenticationProvider: Added 4 test cases for Unauthenticated provider
• TestBaseRouteIsConfigurableForSWA: Added Unauthenticated test case
• TestUpdateAuthenticationProviderHostSettings: Added Unauthenticated test case

[JerryNixon]

@copilot We need to update dab init in the CLI to default to this new provider when it is executed without an explicit flag.

[Copilot]

@copilot We need to update dab init in the CLI to default to this new provider when it is executed without an explicit flag.

Done in 17844ce. Changed the default authentication provider from AppService to Unauthenticated for dab init. Updated:

• InitOptions.cs: --auth.provider default value
• ConfigureOptions.cs: help text for --runtime.host.authentication.provider
• ConfigGenerator.cs: fallback provider when not specified
• AuthenticationOptions.cs: record default value and documentation