.NET 7 UseAuthentication and UserAuthorization ordering not respected when within UseWhen

[UniSnake]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

When configuring my WebApplication I make use of a UseWhen statement so that auth logic is only applied to endpoints with a specific base path.

This worked with ASP.NET Core 6.0 but with 7.0 there are two problems:

1. Auth is applied to all endpoints.
2. Auth middleware runs before all other middleware.

I believe this to be caused by the new 7.0 feature that automatically calls UseAuthentication and UseAuthorization when AddAuthentication / AddAuthorization are called. I see there is code in place to prevent this if it is detected that UseAuthentication / UseAuthentication have already been called, but this does not appear to take UseWhen into account.

Expected Behavior

Auth middleware is not inserted when already inserted within a UseWhen statement.

Steps To Reproduce

app.UseWhen(
    httpContext => httpContext.Request.Path.StartsWithSegments("/api"),
    subApp =>
    {
        subApp.UseAuthentication();
        subApp.UseAuthorization();
    });

Exceptions (if any)

No response

.NET Version

7.0.203

Anything else?

No response

[Tratcher]

@BrennanConroy 😁

[BrennanConroy]

You're thinking of the wrong change Chris.

[BrennanConroy]

You can probably work around this with

app.Properties["__AuthenticationMiddlewareSet"] = true;
app.Properties["__AuthorizationMiddlewareSet"] = true;

[UniSnake]

Unfortunately the Properties are not public.

[BrennanConroy]

((IApplicationBuilder)app).Properties[...]

[UniSnake]

Thanks for that! I can confirm that I was able to work around the issue with the suggestion.

var app = builder.Build();
((IApplicationBuilder)app).Properties["__AuthenticationMiddlewareSet"] = true;
((IApplicationBuilder)app).Properties["__AuthorizationMiddlewareSet"] = true;
...
app.UseWhen(
    httpContext => httpContext.Request.Path.StartsWithSegments("/api"),
    subApp =>
    {
        subApp.UseAuthentication();
        subApp.UseAuthorization();
    });

[mkArtakMSFT]

@BrennanConroy, @Tratcher is there a bug then here for us to address later?

[Tratcher]

Yes, we should see what we can do to improve this.

[mkArtakMSFT]

Thanks @Tratcher.
As I understand it, a follow-up work is pending on the runtime side then? Moved to that area path and assigned to .NET 8 Planning milestone.

Thanks for contacting us.

We're moving this issue to the .NET 8 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.