Introduce new authentication provider Unauthenticated as the default

[Copilot]

Why make this change?

New authentication provider where all operations run as anonymous. Useful when DAB is behind an app gateway or APIM where authentication is handled externally.

What is this change?

Core Implementation:

• Added UnauthenticatedAuthenticationHandler in UnauthenticatedAuthentication/ folder (follows Simulator pattern)
• Added IsUnauthenticatedAuthenticationProvider() to AuthenticationOptions.cs
• Added IsUnauthenticatedIdentityProvider property to RuntimeConfig.cs
• Added explicit mapping in ClientRoleHeaderAuthenticationMiddleware.ResolveConfiguredAuthNScheme()
• Changed AuthenticationOptions record default from AppService to Unauthenticated

CLI & Validation:

• Changed dab init default from AppService to Unauthenticated
• Utils.ValidateAudienceAndIssuerForJwtProvider() accepts Unauthenticated without JWT config
• ConfigGenerator.IsConfigValid() emits warning (not error) when used with non-anonymous roles

Schema:

• Added Unauthenticated to dab.draft.schema.json provider enum

Test Updates:

• Updated all snapshot files (115+ files) to expect Unauthenticated as default
• Updated test config files (dab-config.*.json) to use Unauthenticated provider
• Updated SqlTestHelper.cs, DwSqlTestHelper.cs, and CosmosTestHelper.cs to expect UnauthenticatedAuthentication scheme in integration tests

Key behaviors:

• Allowed in production mode (unlike Simulator)
• Allowed with authenticated/custom role permissions (warning emitted)
• No JWT configuration required

How was this tested?

• Integration Tests
  • Updated SqlTestHelper.cs to expect UnauthenticatedAuthentication scheme
  • Updated DwSqlTestHelper.cs to expect UnauthenticatedAuthentication scheme
  • Updated CosmosTestHelper.cs to expect UnauthenticatedAuthentication scheme
• Unit Tests
  • ValidateUnauthenticatedProviderIdentification in AuthenticationConfigValidatorUnitTests.cs
  • Unauthenticated test cases in TestValidateAudienceAndIssuerForAuthenticationProvider
  • Updated all snapshot files (115+ files) to expect Unauthenticated as default

Sample Request(s)

# Now defaults to Unauthenticated provider
dab init --database-type mssql --connection-string "..."

# Explicit AppService provider (previous default)
dab init --database-type mssql --connection-string "..." --auth.provider AppService

Config snippet:

{
  "runtime": {
    "host": {
      "authentication": {
        "provider": "Unauthenticated"
      }
    }
  }
}

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

Introduces a new Unauthenticated authentication provider intended to treat all requests as anonymous without requiring JWT configuration.

Changes:

• Added an Unauthenticated ASP.NET Core auth handler/scheme and wired it into Startup auth registration paths.
• Updated CLI validation and config validation logic to allow Unauthenticated without JWT (with warnings for non-anonymous role permissions).
• Extended schema and CLI tests/snapshots to include the new provider.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
src/Service/Startup.cs	Registers the Unauthenticated auth scheme in both auth configuration paths.
src/Core/AuthenticationHelpers/UnauthenticatedAuthenticationHandler/UnauthenticatedAuthenticationHandler.cs	New auth handler that yields an anonymous principal.
src/Core/AuthenticationHelpers/UnauthenticatedAuthenticationHandler/UnauthenticatedAuthenticationDefaults.cs	Defines the scheme name constants for the new provider.
src/Core/AuthenticationHelpers/UnauthenticatedAuthenticationHandler/UnauthenticatedAuthenticationBuilderExtensions.cs	Adds an AuthenticationBuilder extension to register the new scheme.
src/Core/AuthenticationHelpers/SupportedAuthNProviders.cs	Adds Unauthenticated to the supported provider constants.
src/Config/ObjectModel/AuthenticationOptions.cs	Adds provider detection helper and updates JWT-required determination logic.
src/Cli/Utils.cs	Allows Unauthenticated to omit JWT audience/issuer and updates messaging.
src/Cli/ConfigGenerator.cs	Emits a warning when Unauthenticated is used with non-anonymous permissions.
src/Cli.Tests/ValidateConfigTests.cs	Adds unit tests for Unauthenticated provider helper methods.
src/Cli.Tests/Snapshots/InitTests.EnsureCorrectConfigGenerationWithDifferentAuthenticationProviders_47836da0dfbdc458.verified.txt	Updates snapshot for config generation using Unauthenticated.
src/Cli.Tests/InitTests.cs	Adds Unauthenticated as a test case for init/config generation.
schemas/dab.draft.schema.json	Adds Unauthenticated to the provider enum and documents it.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[JerryNixon]

@copilot apply changes based on the comments in this thread

[Aniruddh25]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 6 pipeline(s).

[Aniruddh25]

@copilot, the unit tests are failing since Snapshots files have not been fixed. example:
Cli.Tests.EndToEndTests.TestUpdatingStoredProcedureWithRestMethodsAndGraphQLOperations

Fix the snapshots

[Aniruddh25]

@copilot, fix the DWSQL integration tests, investigate the raw logs here:

https://dev.azure.com/sqldab/fcb212b3-b288-4c9e-b55a-5842a268b16d/_apis/build/builds/18312/logs/38

[Copilot]

@copilot, the unit tests are failing since Snapshots files have not been fixed. example:
Cli.Tests.EndToEndTests.TestUpdatingStoredProcedureWithRestMethodsAndGraphQLOperations

...

Fixed in a8781ac. Updated 110 snapshot files to use Provider: Unauthenticated as the default. The test TestUpdatingStoredProcedureWithRestMethodsAndGraphQLOperations and all 138 EndToEndTests pass locally.

[Copilot]

@copilot, fix the DWSQL integration tests, investigate the raw logs here:

https://[dev.azure.com/sqldab/fcb212b3-b288-4c9e-b55a-5842a268b16d/_apis/build/builds/18312/logs/38](https://dev.azure.com...

Fixed in bb114bf. The DWSQL integration tests were failing because the config-generator command files (dwsql-commands.txt, etc.) use dab init without specifying --auth.provider. Since the default is now Unauthenticated, the generated configs used the wrong authentication provider.

Added --auth.provider AppService to all five config-generator command files to explicitly set the authentication provider expected by the integration tests.

[Aniruddh25]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 6 pipeline(s).

[Aniruddh25]

@copilot, investigate failures in these tests. Fix the tests to accept Unauthenticated provider.

https://dev.azure.com/sqldab/fcb212b3-b288-4c9e-b55a-5842a268b16d/_apis/build/builds/18318/logs/45

[Aniruddh25]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 6 pipeline(s).

[Aniruddh25]

@copilot, investigate and fix these failures:

https://dev.azure.com/sqldab/fcb212b3-b288-4c9e-b55a-5842a268b16d/_apis/build/builds/18329/logs/15
and
https://dev.azure.com/sqldab/fcb212b3-b288-4c9e-b55a-5842a268b16d/_apis/build/builds/18324/logs/38