Skip to content

Flow endpoint and httpcontext always from authz middleware #22672

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jun 20, 2020
Merged

Flow endpoint and httpcontext always from authz middleware #22672

merged 5 commits into from
Jun 20, 2020

Conversation

HaoK
Copy link
Member

@HaoK HaoK commented Jun 8, 2020

Fixes: #16695

@ghost ghost added the area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer label Jun 8, 2020
davidfowl
davidfowl reviewed Jun 8, 2020
View reviewed changes
@HaoK HaoK added the breaking-change This issue / pr will introduce a breaking change, when resolved / merged. label Jun 17, 2020
@HaoK HaoK marked this pull request as ready for review June 17, 2020 22:35
@HaoK HaoK requested a review from Tratcher June 18, 2020 23:45
pranavkm
pranavkm approved these changes Jun 19, 2020
View reviewed changes
Copy link
Contributor

@pranavkm pranavkm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we make an announcement for this?

@HaoK
Copy link
Member Author

HaoK commented Jun 19, 2020

Yep I'll open an announcement

@HaoK
Copy link
Member Author

HaoK commented Jun 20, 2020

Breaking change issue dotnet/docs#19034

@HaoK HaoK merged commit 8541bf6 into master Jun 20, 2020
@HaoK HaoK deleted the haok/authz branch June 20, 2020 01:14
@davidfowl
Copy link
Member

This is a runtime breaking change so it’s a big deal. People will migrate to 5.0 and nothing will tell them this is broken after migration until you happen to read the docs. I suggest we do more and write an analyzer to detect consumption of this object at runtime.

cc @pranavkm

@davidfowl
Copy link
Member

davidfowl commented Jun 20, 2020
edited
Loading

cc @Pilchie @DamianEdwards @LadyNaggaga

@HaoK
Copy link
Member Author

HaoK commented Jun 20, 2020

We could also just do this in a non breaking way and add an AuthorizationMiddlewareOptions.UseHttpContextAsResource = false and only do this if they set it to true

@pranavkm
Copy link
Contributor

One of the options we briefly discussed during 3.0 was wrapping the context in an object that allows casting to HttpContext or Endpoint. If your previous code looked like var endpoint = (Endpoint)resource, we could make that work. It does not work with pattern matching expressions. Perhaps we could do that in addition to adding a UseHttpContextAsResource option that is on by default. Unlike Startup code, handler code might exist in libraries which an analyzer wouldn't be useful in.

@HaoK
Copy link
Member Author

HaoK commented Jun 20, 2020

Is the worry that there will be code outside of the app in a library that wouldn't be able to react to this mode? Would that be like some other kind of identity UI packages like thing which might have baked in code expecting the endpoint?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davidfowl davidfowl davidfowl left review comments

@JamesNK JamesNK JamesNK left review comments

@pranavkm pranavkm pranavkm approved these changes

@Tratcher Tratcher Tratcher approved these changes

Assignees
No one assigned
Labels
area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer breaking-change This issue / pr will introduce a breaking change, when resolved / merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Feature request: Make RouteData or HttpContext available on AuthorizationHandlerContext
5 participants
@HaoK @davidfowl @pranavkm @JamesNK @Tratcher