Introduce new authentication provider Unauthenticated as the default

[Copilot]

Why make this change?

New authentication provider where all operations run as anonymous. Useful when DAB is behind an app gateway or APIM where authentication is handled externally.

What is this change?

Core Implementation:

• Added UnauthenticatedAuthenticationHandler in UnauthenticatedAuthentication/ folder (follows Simulator pattern)
• Added IsUnauthenticatedAuthenticationProvider() to AuthenticationOptions.cs
• Added IsUnauthenticatedIdentityProvider property to RuntimeConfig.cs
• Added explicit mapping in ClientRoleHeaderAuthenticationMiddleware.ResolveConfiguredAuthNScheme()
• Changed AuthenticationOptions record default from AppService to Unauthenticated
• Updated IsAppServiceIdentityProvider and IsStaticWebAppsIdentityProvider to only return true when explicitly set

CLI & Validation:

• Changed dab init default from AppService to Unauthenticated
• Utils.ValidateAudienceAndIssuerForJwtProvider() accepts Unauthenticated without JWT config
• ConfigGenerator.IsConfigValid() emits warning (not error) when used with non-anonymous roles
• Simulator provider comparison made case-insensitive (consistent with Unauthenticated check)

Schema:

• Added Unauthenticated to dab.draft.schema.json provider enum

Test Updates:

• Updated all CLI snapshot files (115+ files) to expect Unauthenticated as default
• Updated InitTests.cs, UpdateEntityTests.cs, and TestHelper.cs to use Unauthenticated as the default provider in unit test setup helpers
• Integration test config files (dab-config.*.json) continue to use AppService because integration tests exercise role-based policies (authenticated role, database policies, exclude fields) that require actual token-based authentication — the Unauthenticated provider treats all requests as anonymous and does not process bearer tokens

Key behaviors:

• Allowed in production mode (unlike Simulator)
• Allowed with authenticated/custom role permissions (warning emitted)
• No JWT configuration required

How was this tested?

• Integration Tests
  • Integration test config files (dab-config.*.json) retain AppService provider to support role-based policy testing
• Unit Tests
  • ValidateUnauthenticatedProviderIdentification in AuthenticationConfigValidatorUnitTests.cs
  • Unauthenticated test cases in TestValidateAudienceAndIssuerForAuthenticationProvider
  • Updated all CLI snapshot files (115+ files) to expect Unauthenticated as default
  • TestUnauthenticatedProviderNonAnonymousRoleDetection validates warning is emitted for non-anonymous roles

Sample Request(s)

# Now defaults to Unauthenticated provider
dab init --database-type mssql --connection-string "..."

# Explicit AppService provider (previous default)
dab init --database-type mssql --connection-string "..." --auth.provider AppService

Config snippet:

{
  "runtime": {
    "host": {
      "authentication": {
        "provider": "Unauthenticated"
      }
    }
  }
}

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

Introduces a new Unauthenticated authentication provider intended to treat all requests as anonymous without requiring JWT configuration.

Changes:

• Added an Unauthenticated ASP.NET Core auth handler/scheme and wired it into Startup auth registration paths.
• Updated CLI validation and config validation logic to allow Unauthenticated without JWT (with warnings for non-anonymous role permissions).
• Extended schema and CLI tests/snapshots to include the new provider.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
src/Service/Startup.cs	Registers the Unauthenticated auth scheme in both auth configuration paths.
src/Core/AuthenticationHelpers/UnauthenticatedAuthenticationHandler/UnauthenticatedAuthenticationHandler.cs	New auth handler that yields an anonymous principal.
src/Core/AuthenticationHelpers/UnauthenticatedAuthenticationHandler/UnauthenticatedAuthenticationDefaults.cs	Defines the scheme name constants for the new provider.
src/Core/AuthenticationHelpers/UnauthenticatedAuthenticationHandler/UnauthenticatedAuthenticationBuilderExtensions.cs	Adds an AuthenticationBuilder extension to register the new scheme.
src/Core/AuthenticationHelpers/SupportedAuthNProviders.cs	Adds Unauthenticated to the supported provider constants.
src/Config/ObjectModel/AuthenticationOptions.cs	Adds provider detection helper and updates JWT-required determination logic.
src/Cli/Utils.cs	Allows Unauthenticated to omit JWT audience/issuer and updates messaging.
src/Cli/ConfigGenerator.cs	Emits a warning when Unauthenticated is used with non-anonymous permissions.
src/Cli.Tests/ValidateConfigTests.cs	Adds unit tests for Unauthenticated provider helper methods.
src/Cli.Tests/Snapshots/InitTests.EnsureCorrectConfigGenerationWithDifferentAuthenticationProviders_47836da0dfbdc458.verified.txt	Updates snapshot for config generation using Unauthenticated.
src/Cli.Tests/InitTests.cs	Adds Unauthenticated as a test case for init/config generation.
schemas/dab.draft.schema.json	Adds Unauthenticated to the provider enum and documents it.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[JerryNixon]

@copilot apply changes based on the comments in this thread

[Aniruddh25]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 6 pipeline(s).

[Aniruddh25]

@copilot, investigate failures in these tests. Fix the tests to accept Unauthenticated provider.

https://dev.azure.com/sqldab/fcb212b3-b288-4c9e-b55a-5842a268b16d/_apis/build/builds/18318/logs/45

[Aniruddh25]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 6 pipeline(s).

[Aniruddh25]

@copilot, investigate and fix these failures:

https://dev.azure.com/sqldab/fcb212b3-b288-4c9e-b55a-5842a268b16d/_apis/build/builds/18329/logs/15
and
https://dev.azure.com/sqldab/fcb212b3-b288-4c9e-b55a-5842a268b16d/_apis/build/builds/18324/logs/38

[RubenCerna2079]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 6 pipeline(s).

[souvikghosh04]

@copilot multiple tests are failing in Unit tests and Integrations tests. for example, this Unit test failed-

Stack Trace:
Failed TestUpdateStoredProcedureWithBothMcpPropertiesEnabled [5 ms]
Error Message:
Test method Cli.Tests.UpdateEntityTests.TestUpdateStoredProcedureWithBothMcpPropertiesEnabled threw exception:
VerifyException: Directory: /home/vsts/work/1/s/src/Cli.Tests/Snapshots
NotEqual:

• Received: UpdateEntityTests.TestUpdateStoredProcedureWithBothMcpPropertiesEnabled.received.txt
  Verified: UpdateEntityTests.TestUpdateStoredProcedureWithBothMcpPropertiesEnabled.verified.txt

FileContent:

NotEqual:

Received: UpdateEntityTests.TestUpdateStoredProcedureWithBothMcpPropertiesEnabled.received.txt
Verified: UpdateEntityTests.TestUpdateStoredProcedureWithBothMcpPropertiesEnabled.verified.txt

most of them seems like failing in comparing the expected and generated configs.

also, investigate other tests and fix them in this same branch- copilot/add-unauthenticated-auth-provider.

[Copilot]

@copilot, investigate and fix these failures:

https://[dev.azure.com/sqldab/fcb212b3-b288-4c9e-b55a-5842a268b16d/_apis/build/builds/18329/logs/15](https://dev.azure.com/sqldab/fcb2...

Fixed in 1c13dd5. The root cause was that test helpers and snapshot tests still had "AppService" hardcoded, while the code now defaults to Unauthenticated:

• InitTests.cs: Changed authenticationProvider: EasyAuthType.AppService.ToString() → "Unauthenticated" for snapshot tests that are not specifically testing AppService behavior
• UpdateEntityTests.cs: Updated GetInitialConfigString() to use "Unauthenticated"
• TestHelper.cs: Updated RUNTIME_SECTION constant to use "Unauthenticated"
• EnsureCorrectConfigGenerationWithDifferentAuthenticationProviders_b95b637ea87f16a7.verified.txt: Restored to AppService since that test explicitly tests the AppService provider

[souvikghosh04]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 6 pipeline(s).

[souvikghosh04]

@copilot the following tests failed in PG integration tests-

Put_Insert_WithReadDatabasePolicyUnsatisfiedTest
Update Mutation Prohibited by Policy
FindTestsWithFilterQueryStringOneOpFilter
PutInsert_NoReadTest
TestTryInsertMutationForVariableNotNullDefault
InsertMutationForVariableNotNullDefault
InsertOneWithNoReadPermissionsTest
TestViolatingOneToOneRelationship
Patch_Insert_WithExcludeFieldsTest
PutOne_Update_WithExcludeFields_Test
PatchOne_Update_NoReadTest
FindTestOnTableWithDatabasePolicy
Put_Insert_WithReadDatabasePolicyTest
InsertOneWithReadDatabasePolicyUnsatisfiedTest
PutOne_Update_WithReadDbPolicyUnsatisfied_Test
InsertOneWithReadDatabasePolicyTest
Put_Insert_WithExcludeFieldsTest
InsertOneWithExcludeFieldsTest
PutOne_Update_WithNoReadAction_Test
Patch_Insert_WithReadDatabasePolicyUnsatisfiedTest
Patch_Update_WithReadDatabasePolicyTest
PatchInsert_NoReadTest
Patch_Insert_WithReadDatabasePolicyTest
Patch_Update_WithExcludeFieldsTest
Patch_Update_WithReadDatabasePolicyUnsatisfiedTest
PutOne_Update_WithReadDbPolicy_Test
QueryByPK_Policy
QueryMany_Policy
QueryMany_NestedRequest_Policy
QueryMany_Policy_Nullable
TestNestedFilterWithAnd
TestFilterForVarcharColumnWithNullAndNonNullValues
QueryByPK_NestedRequest_Policy
TestNestedFilterWithinNestedFilter
TestNestedFilterWithOr
TestNestedFilterWithOrAndIN

following tests failed for DW SQL integration tests-

FindTestsWithFilterQueryStringOneOpFilter
InsertMutationWithDatabasePolicy
InsertMutationFailingDatabasePolicy
FindTestOnTableWithDatabasePolicy

following tests failed for MySQL integration tests-
PutInsert_NoReadTest
PutOne_Update_WithReadDbPolicyUnsatisfied_Test
FindTestOnTableWithDatabasePolicy
PutOne_Update_WithExcludeFields_Test
FindTestsWithFilterQueryStringOneOpFilter
Put_Insert_WithReadDatabasePolicyTest
PatchOne_Update_NoReadTest
TestTryInsertMutationForVariableNotNullDefault
PatchInsert_NoReadTest
Patch_Update_WithExcludeFieldsTest
PutOne_Update_WithNoReadAction_Test
Update Mutation Prohibited by Policy
Put_Insert_WithReadDatabasePolicyUnsatisfiedTest
PutOne_Update_WithReadDbPolicy_Test
Put_Insert_WithExcludeFieldsTest
InsertOneWithReadDatabasePolicyUnsatisfiedTest
Patch_Insert_WithReadDatabasePolicyUnsatisfiedTest
Patch_Update_WithReadDatabasePolicyTest
InsertOneWithNoReadPermissionsTest
Patch_Insert_WithExcludeFieldsTest
InsertOneWithReadDatabasePolicyTest
InsertOneWithExcludeFieldsTest
Patch_Update_WithReadDatabasePolicyUnsatisfiedTest
Patch_Insert_WithReadDatabasePolicyTest
InsertMutationForVariableNotNullDefault
TestViolatingOneToOneRelationship
QueryByPK_Policy
QueryMany_Policy
QueryMany_NestedRequest_Policy
QueryByPK_NestedRequest_Policy
TestFilterForVarcharColumnWithNullAndNonNullValues
QueryMany_Policy_Nullable
``

please ensure to check for other database tests like MSSQL and Cosmos as well.
implement the fi in this branch- copilot/add-unauthenticated-auth-provider

make sure the functionality is not broken and not deviated from requirements

[Copilot]

@copilot the following tests failed in PG integration tests-

Put_Insert_WithReadDatabasePolicyUnsatisfiedTest
...

Fixed in 78e3476. The integration test failures were caused by dab-config.*.json files being changed to use Unauthenticated provider. Since many integration tests (database policy tests, authenticated role tests, exclude field tests) require role-based authentication, they fail with Unauthenticated because it treats all requests as anonymous and ignores bearer tokens.

Reverted all dab-config.*.json files and their corresponding Service.Tests snapshots back to AppService provider, which supports proper role-based access for the integration tests.

[souvikghosh04]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 6 pipeline(s).