Skip to content

Support AuthorizationPolicy and IAuthorizationRequirementData metadata everywhere#67765

Open
javiercn wants to merge 11 commits into
mainfrom
javiercn/authz-combine-metadata
Open

Support AuthorizationPolicy and IAuthorizationRequirementData metadata everywhere#67765
javiercn wants to merge 11 commits into
mainfrom
javiercn/authz-combine-metadata

Conversation

@javiercn

@javiercn javiercn commented Jul 13, 2026

Copy link
Copy Markdown
Member

Summary

Fixes #63365.

Only the AuthorizationMiddleware (endpoint routing) honored all three kinds of authorization endpoint metadata:

  • IAuthorizeData  (e.g. [Authorize])
  • AuthorizationPolicy instances used directly as metadata, relevant to routing only
  • IAuthorizationRequirementData (e.g. a custom attribute carrying requirements)

Other places that make the same authorization decision ignored those metadata types:

  • MVC AuthorizeFilter  (GetEffectivePolicyAsync)
  • SignalR HubMethodDescriptor  (previously gathered Policies only)
  • Blazor AuthorizeViewCore/ AuthorizeRouteView (didn't consider IAuthorizationRequirementData)

The legacy non-endpoint-routing path (EnableEndpointRouting=false  + UseMvc) is a deliberately-frozen, opt-out code path untouched for ~7 years, so extending it isn't worth the risk.

This PR adds a higher-level API that takes all the metadata associated with an endpoint and returns the effective policy, then routes the existing sites through it.

New API

namespace Microsoft.AspNetCore.Authorization;

public class AuthorizationPolicy
{
    public static Task<AuthorizationPolicy?> CombineAsync(
        IAuthorizationPolicyProvider policyProvider,
        IEnumerable<object> metadata);
}

The overload inspects each metadata item and combines any IAuthorizeData, AuthorizationPolicy, and IAuthorizationRequirementData instances into a single effective policy. A single item (for example an attribute) that implements more than one of these interfaces contributes to each. The requirement-data handling that previously lived in AuthorizationMiddleware now lives in a shared code path so behavior is identical.

Changes

  • AuthorizationMiddleware: refactor - replace the existing correct logic with the new shared method call.
  • MVC AuthorizeFilter: endpoint-routing now passes the whole endpoint.Metadata instead of just IAuthorizeData, so that AuthorizationPolicyandIAuthorizationRequirementData` are honored.
  • SignalR- previously it gathered only policy names. Not it collects the full authorization metadata of hub method attributes and combines with the new shared API.
  • Blazor: previously only honored IAuthorizeData, now also IAuthorizationRequirementData, using the new API to combine them.

Tests

Subsystem Allow (positive) Deny (negative) Metadata kinds exercised Test location
Core CombineAsync ✅ ×4 + null IAuthorizeData, IAuthorizationRequirementData, AuthorizationPolicy instance, both-interfaces dedup AuthorizationPolicyFacts.cs
SignalR IAuthorizationRequirementData HubConnectionHandlerTests.cs
MVC (AuthorizeFilter) IAuthorizationRequirementData, AuthorizationPolicy instance AuthorizeFilterTest.cs
Blazor (AuthorizeView) IAuthorizationRequirementData AuthorizeViewTest.cs
Middleware (existing) (existing) all (refactor only) pre-existing middleware tests

javiercn and others added 8 commits July 13, 2026 21:07
…rement metadata everywhere

Adds a higher-level overload:

    AuthorizationPolicy.CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable<object> metadata)

that inspects endpoint metadata and combines any IAuthorizeData, AuthorizationPolicy,
and IAuthorizationRequirementData instances into a single effective policy, mirroring the
logic previously only implemented in AuthorizationMiddleware.

Wires the new API into the sites that make the same authorization decision but previously
ignored AuthorizationPolicy / IAuthorizationRequirementData endpoint metadata:

- AuthorizationMiddleware now delegates to the new overload (removing duplicated logic).
- MVC AuthorizeFilter gathers full endpoint metadata instead of only IAuthorizeData.
- SignalR HubMethodDescriptor/DefaultHubDispatcher collect and evaluate all authorization
  metadata (IAuthorizeData + IAuthorizationRequirementData) on hub methods.
- Blazor AuthorizeViewCore gains a virtual GetAuthorizeMetadata() extension point, and
  AuthorizeRouteView honors requirement-data attributes on routed page types.

Adds tests for requirements-only metadata, combined requirements + authorization data, and
an attribute implementing both IAuthorizeData and IAuthorizationRequirementData, plus SignalR
and Blazor coverage.

Fixes #63365

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 58d6d84a-9144-44e2-9460-92c0841414c9
…ment data

Blazor's AuthorizeViewCore now exposes a typed GetAuthorizationRequirementData() ->
IAuthorizationRequirementData[]? extension point instead of an object[] method. The
IAuthorizeData and IAuthorizationRequirementData sources are combined internally, de-duplicating
attributes that implement both interfaces so they aren't processed twice.

AuthorizationPolicy.CombineAsync no longer passes a nullable requirement-data list to its core;
callers coalesce to an empty array, matching how authorizeData and policies are handled.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 58d6d84a-9144-44e2-9460-92c0841414c9
Cover the previously-untested paths from #63365: MVC AuthorizeFilter
now honoring IAuthorizationRequirementData and AuthorizationPolicy
endpoint metadata (with an allow/deny enforcement test), and a Blazor
AuthorizeView allow/deny pair for requirement-data metadata.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot-Session: a3d9633a-47ce-45fb-9db2-f366f11bc90f
@ilonatommy ilonatommy added area-security Antiforgery, CSP, etc. -Authentication, -Authorization area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer and removed area-security Antiforgery, CSP, etc. -Authentication, -Authorization labels Jul 14, 2026
@ilonatommy ilonatommy added this to the 11.0-preview7 milestone Jul 14, 2026
@ilonatommy ilonatommy marked this pull request as ready for review July 14, 2026 14:02
Copilot AI review requested due to automatic review settings July 14, 2026 14:02
@ilonatommy ilonatommy requested review from a team, BrennanConroy and halter73 as code owners July 14, 2026 14:02
@ilonatommy ilonatommy requested a review from Youssef1313 July 14, 2026 14:02

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR centralizes authorization-policy computation so all callers (middleware, MVC filters, SignalR hub method dispatch, and Blazor components) honor the same endpoint authorization metadata types: IAuthorizeData, AuthorizationPolicy metadata instances, and IAuthorizationRequirementData.

Changes:

  • Add AuthorizationPolicy.CombineAsync(IAuthorizationPolicyProvider, IEnumerable<object> metadata) to compute an effective policy from mixed endpoint metadata.
  • Refactor authorization evaluation sites (middleware, MVC AuthorizeFilter, SignalR hub dispatch, Blazor AuthorizeViewCore/AuthorizeRouteView) to use the shared combine logic.
  • Add/extend tests across Authorization, MVC, SignalR, and Components to cover IAuthorizationRequirementData and policy-instance metadata.

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
src/Security/Authorization/Core/src/AuthorizationPolicy.cs Adds new CombineAsync overload that inspects endpoint metadata and merges requirements consistently.
src/Security/Authorization/Policy/src/AuthorizationMiddleware.cs Replaces in-middleware metadata handling with the new shared CombineAsync(metadata) overload.
src/Security/Authorization/test/AuthorizationPolicyFacts.cs Adds unit tests for new metadata-based policy combination behavior.
src/Security/Authorization/Core/src/PublicAPI/net11.0/PublicAPI.Unshipped.txt Declares the new AuthorizationPolicy.CombineAsync(..., IEnumerable<object>) API for shipping.
src/Mvc/Mvc.Core/src/Authorization/AuthorizeFilter.cs Updates endpoint-routing path to combine the full endpoint.Metadata instead of only IAuthorizeData.
src/Mvc/Mvc.Core/test/Authorization/AuthorizeFilterTest.cs Adds MVC tests validating requirement-data and policy-instance endpoint metadata are enforced.
src/SignalR/server/Core/src/Internal/HubMethodDescriptor.cs Stores full authorization metadata (not just IAuthorizeData) for hub methods.
src/SignalR/server/Core/src/Internal/DefaultHubDispatcher.cs Discovers and evaluates hub authorization from combined metadata via shared CombineAsync.
src/SignalR/server/SignalR/test/.../Hubs.cs Adds a test-only IAuthorizationRequirementData attribute requiring NameIdentifier claim.
src/SignalR/server/SignalR/test/.../HubConnectionHandlerTests.cs Adds SignalR tests ensuring hub method requirement-data metadata is honored.
src/Components/Authorization/src/AuthorizeViewCore.cs Adds virtual requirement-data hook and combines metadata for Blazor component authorization.
src/Components/Authorization/src/AuthorizeRouteView.cs Flows requirement-data attributes from routed page types into authorization evaluation.
src/Components/Authorization/src/AttributeAuthorizeDataCache.cs Extends attribute cache to track both IAuthorizeData and IAuthorizationRequirementData.
src/Components/Authorization/src/PublicAPI.Unshipped.txt Declares new AuthorizeViewCore.GetAuthorizationRequirementData() API.
src/Components/Authorization/test/AuthorizeViewTest.cs Adds Blazor tests validating requirement-data metadata is passed to authorization.

Comment thread src/Security/Authorization/Core/src/AuthorizationPolicy.cs
Comment thread src/Components/Authorization/src/AuthorizeViewCore.cs
Comment thread src/Components/Authorization/test/AuthorizeViewTest.cs
@ilonatommy ilonatommy requested a review from oroztocil July 15, 2026 09:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Support AuthorizationPolicy and IAuthorizationRequirementData endpoint metadata everywhere not just AuthorizationMiddleware

3 participants