From 8a5f422741833b4587c4d59d8917e6305c0c227b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 14 May 2026 20:53:20 +0000 Subject: [PATCH 1/3] Initial plan From 1ed5eabd51bd8ca7eb0799aaf86e1ad5e84f0174 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 14 May 2026 20:58:11 +0000 Subject: [PATCH 2/3] Tie JwtBearer RequireHttpsMetadata to HostMode Agent-Logs-Url: https://github.com/Azure/data-api-builder/sessions/ba26e602-5494-4b74-a80c-cafebe29dcf1 Co-authored-by: JerryNixon <1749983+JerryNixon@users.noreply.github.com> --- src/Core/AuthenticationHelpers/ConfigureJwtBearerOptions.cs | 1 + src/Service/Startup.cs | 1 + 2 files changed, 2 insertions(+) diff --git a/src/Core/AuthenticationHelpers/ConfigureJwtBearerOptions.cs b/src/Core/AuthenticationHelpers/ConfigureJwtBearerOptions.cs index b8be86195c..f4004f2cdf 100644 --- a/src/Core/AuthenticationHelpers/ConfigureJwtBearerOptions.cs +++ b/src/Core/AuthenticationHelpers/ConfigureJwtBearerOptions.cs @@ -49,6 +49,7 @@ public void Configure(string? name, JwtBearerOptions options) options.MapInboundClaims = false; options.Audience = newAuthOptions.Jwt.Audience; options.Authority = newAuthOptions.Jwt.Issuer; + options.RequireHttpsMetadata = _runtimeConfigProvider.GetConfig().Runtime?.Host?.Mode is HostMode.Production; options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters() { ValidAudience = newAuthOptions.Jwt.Audience, diff --git a/src/Service/Startup.cs b/src/Service/Startup.cs index 1818697e45..9340c7c7aa 100644 --- a/src/Service/Startup.cs +++ b/src/Service/Startup.cs @@ -1001,6 +1001,7 @@ private void ConfigureAuthentication(IServiceCollection services, RuntimeConfigP options.MapInboundClaims = false; options.Audience = authOptions.Jwt!.Audience; options.Authority = authOptions.Jwt!.Issuer; + options.RequireHttpsMetadata = mode is HostMode.Production; options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters() { // Instructs the asp.net core middleware to use the data in the "roles" claim for User.IsInRole() From 4d20067c8c7307d79fa41c94cae336f8de15c09c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 14 May 2026 21:25:15 +0000 Subject: [PATCH 3/3] Require HTTPS metadata unless mode is Development (secure default) Agent-Logs-Url: https://github.com/Azure/data-api-builder/sessions/606ab4fa-e7ea-4b60-80c6-e2114148da0e Co-authored-by: JerryNixon <1749983+JerryNixon@users.noreply.github.com> --- src/Core/AuthenticationHelpers/ConfigureJwtBearerOptions.cs | 5 ++++- src/Service/Startup.cs | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/src/Core/AuthenticationHelpers/ConfigureJwtBearerOptions.cs b/src/Core/AuthenticationHelpers/ConfigureJwtBearerOptions.cs index f4004f2cdf..612527d800 100644 --- a/src/Core/AuthenticationHelpers/ConfigureJwtBearerOptions.cs +++ b/src/Core/AuthenticationHelpers/ConfigureJwtBearerOptions.cs @@ -49,7 +49,10 @@ public void Configure(string? name, JwtBearerOptions options) options.MapInboundClaims = false; options.Audience = newAuthOptions.Jwt.Audience; options.Authority = newAuthOptions.Jwt.Issuer; - options.RequireHttpsMetadata = _runtimeConfigProvider.GetConfig().Runtime?.Host?.Mode is HostMode.Production; + // Require HTTPS for IdP metadata unless explicitly running in Development mode. + // Host is guaranteed non-null here because newAuthOptions (Runtime.Host.Authentication) was checked above, + // but we keep null-conditional access defensively; a null mode is treated as non-Development (HTTPS required). + options.RequireHttpsMetadata = _runtimeConfigProvider.GetConfig().Runtime?.Host?.Mode is not HostMode.Development; options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters() { ValidAudience = newAuthOptions.Jwt.Audience, diff --git a/src/Service/Startup.cs b/src/Service/Startup.cs index 9340c7c7aa..81d9b63945 100644 --- a/src/Service/Startup.cs +++ b/src/Service/Startup.cs @@ -1001,7 +1001,10 @@ private void ConfigureAuthentication(IServiceCollection services, RuntimeConfigP options.MapInboundClaims = false; options.Audience = authOptions.Jwt!.Audience; options.Authority = authOptions.Jwt!.Issuer; - options.RequireHttpsMetadata = mode is HostMode.Production; + // Require HTTPS for IdP metadata unless explicitly running in Development mode. + // This keeps defaults secure (HTTPS) for any current or future non-Development mode, + // while still allowing local/docker scenarios (e.g. IdP reachable only over HTTP) in Development. + options.RequireHttpsMetadata = mode is not HostMode.Development; options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters() { // Instructs the asp.net core middleware to use the data in the "roles" claim for User.IsInRole()