Conversation
There was a problem hiding this comment.
Pull request overview
Adds key rotation support to the HMAC authentication flow by allowing multiple API keys per AppId, updating the authorization provider result shape, and extending the ASP.NET Core handler and tests accordingly.
Changes:
- Extend
AuthorizationProviderResultto exposeApiKeys(multi-key) while keepingApiKeyas the primary/first key. - Update
MemoryHmacAuthenticationProviderandHmacAuthenticationHandlerto validate incoming signatures against multiple keys. - Bump package versions / release notes and add tests for multi-key authorization behavior.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| softaware.Authentication.Hmac/softaware.Authentication.Hmac.csproj | Bumps core package version to reflect new functionality. |
| softaware.Authentication.Hmac/AuthorizationProvider/MemoryHmacAuthenticationProvider.cs | Adds multi-key constructor and returns multi-key results. |
| softaware.Authentication.Hmac/AuthorizationProvider/AuthorizationProviderResult.cs | Adds ApiKeys and a multi-key constructor for key rotation support. |
| softaware.Authentication.Hmac.AspNetCore/softaware.Authentication.Hmac.AspNetCore.csproj | Bumps ASP.NET Core package version and updates release notes for key rotation. |
| softaware.Authentication.Hmac.AspNetCore/HmacAuthenticationHandler.cs | Tries signature validation against multiple keys; modifies replay detection logic. |
| softaware.Authentication.Hmac.AspNetCore.Test/MiddlewareTest.cs | Adds new tests validating authorization with primary/secondary keys. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
softaware.Authentication.Hmac.AspNetCore/HmacAuthenticationHandler.cs
Outdated
Show resolved
Hide resolved
| this.hmacAuthenticatedApps = hmacAuthenticatedApps.ToDictionary( | ||
| kvp => kvp.Key, | ||
| kvp => new[] { kvp.Value }); | ||
| } |
There was a problem hiding this comment.
MemoryHmacAuthenticationProvider used to keep a reference to the provided IDictionary, preserving custom key comparers (e.g., case-insensitive) and reflecting any updates made after construction. The new ToDictionary copy uses the default comparer and is a snapshot, which can be a breaking behavior change. Consider preserving the source comparer when possible and/or documenting the snapshot semantics explicitly.
There was a problem hiding this comment.
Shouldn't be much of an issue I'd say
softaware.Authentication.Hmac/AuthorizationProvider/MemoryHmacAuthenticationProvider.cs
Outdated
Show resolved
Hide resolved
meinsiedler
left a comment
meinsiedler
left a comment
There was a problem hiding this comment.
Extend the README.md to describe the key rotation for HMAC
…dler.cs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…AuthenticationProvider.cs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…mbh/library-authentication into features/key-rotation
Co-authored-by: doerrD <5888867+doerrD@users.noreply.github.com>
Fix nonce replay protection (per-request MemoryCache) and add regression test
No description provided.