Skip to content

Consider adding an IEndpointConventionBuilder.RequireAuthorization overload that accepts an AuthorizationPolicy #18497

Closed
@pranavkm

Description

@pranavkm

Endpoint routing has a way to configure auth using RequireAuthorization: https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.builder.authorizationendpointconventionbuilderextensions?view=aspnetcore-3.1. The overloads allow specifying names of policies, but no way of specifying a policy itself.

Compare this to AuthorizeFilter which has an overload that allows specifying a policy: https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.mvc.authorization.authorizefilter.-ctor?view=aspnetcore-3.1#Microsoft_AspNetCore_Mvc_Authorization_AuthorizeFilter__ctor_Microsoft_AspNetCore_Authorization_AuthorizationPolicy_

This overload allows for fairly easy to follow auth setup:

services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});

Metadata

Metadata

Assignees

No one assigned

    Labels

    area-authIncludes: Authn, Authz, OAuth, OIDC, BearerenhancementThis issue represents an ask for new feature or an enhancement to an existing oneold-area-web-frameworks-do-not-use*DEPRECATED* This label is deprecated in favor of the area-mvc and area-minimal labels

    Type

    No type

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions