-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Explicitly calling context.Fail(....)
in authorization policy requirement handler results in empty policyAuthorizationResult.AuthorizationFailure.FailedRequirements
#55673
Comments
context.Fail
in Authorization Policy Requirement Handler Results in empty policyAuthorizationResult.AuthorizationFailure.FailedRequirements
context.Fail(....)
in Authorization Policy Requirement Handler Results in empty policyAuthorizationResult.AuthorizationFailure.FailedRequirements
context.Fail(....)
in Authorization Policy Requirement Handler Results in empty policyAuthorizationResult.AuthorizationFailure.FailedRequirements
context.Fail(....)
in authorization policy requirement handler results in empty policyAuthorizationResult.AuthorizationFailure.FailedRequirements
I'm just hitting the same issue. There is nothing in the doc about this behavior : https://learn.microsoft.com/en-us/aspnet/core/security/authorization/customizingauthorizationmiddlewareresponse?view=aspnetcore-8.0 |
Ok, so after digging a bit more I found this : When we call Fail, the authContext properties are In the first case we go to line 20 aspnetcore/src/Security/Authorization/Core/src/DefaultAuthorizationEvaluator.cs Lines 16 to 21 in e47c15a
Line 20 goes to this
Line 21 goes to this
So the question is why in case 1 static AuthorizationFailure.Failed is not taking a second argument with the failed requirements ? |
You might think that By calling You'll notice that we never call Why do you need to call The example given of an API key being invalid seems more like an authentication failure than an authorization failure anyway. I'd expect that to be reported by an API key |
Thanks @halter73, If I understand it correctly, when we write an AuthorizationHandler we have to follow this rules : Succeed : means "Ok, this handler has met the required condition" No call : means "This handler has not met the required condition" Fail : means "An error has happened that prevent the handler to conclude if it succeeded or not" |
No problem. Your understanding looks correct to me. |
Thanks @halter73 for the clarification. |
Is there an existing issue for this?
Describe the bug
Calling
context.Fail(....)
in ourAuthorization
policy requirement handler causespolicyAuthorizationResult.AuthorizationFailure.FailedRequirements
to be empty when ourAuthorization
fails.Expected Behavior
policyAuthorizationResult.AuthorizationFailure.FailedRequirements
should not be empty whenAuthorization
fails regardless of whether we callcontext.Fail(....)
in our policy requirement handler or not.Steps To Reproduce
Clone this repo, build and run.
Initiate the request below using
cURL
, notice we get a401 Unauthorized
response.cURL
, notice we get a403 Forbidden
response.the difference between the two endpoints are their
Authorization
policy requirement handlers.The
implicit-fail
endpoint policy requirement handler doesn't callcontext.Fail
if authorization fails. however, theexplicit-fail
endpoint policy requirement handler callscontext.Fail("....")
when authorization fails.I have an
IAuthorizationMiddlewareResultHandler
implementation that checks if the failed requirement is of a particular type usingpolicyAuthorizationResult.AuthorizationFailure.FailedRequirements
and modifies the response status code appropriately.unfortunately,
policyAuthorizationResult.AuthorizationFailure.FailedRequirements
is always empty when we use theexplicit-fail
policy requirement handler that callscontext.Fail("....")
.I don't see this behaviour documented anywhere so I assume it's a bug.
If it is an expected behaviour (this would be strange 😕), then how do we propagate the failure reason from the various policy requirement handlers to my
IAuthorizationMiddlewareResultHandler
without callingcontext.Fail("....")
?Exceptions (if any)
No response
.NET Version
8.0.200
Anything else?
No response
The text was updated successfully, but these errors were encountered: