Explicitly calling `context.Fail(....)` in authorization policy requirement handler results in empty `policyAuthorizationResult.AuthorizationFailure.FailedRequirements`
Xor-el opened this issue · comments
Is there an existing issue for this?
- I have searched the existing issues
Describe the bug
Calling context.Fail(....)
in our Authorization
policy requirement handler causes policyAuthorizationResult.AuthorizationFailure.FailedRequirements
to be empty when our Authorization
fails.
Expected Behavior
policyAuthorizationResult.AuthorizationFailure.FailedRequirements
should not be empty when Authorization
fails regardless of whether we call context.Fail(....)
in our policy requirement handler or not.
Steps To Reproduce
-
Clone this repo, build and run.
-
Initiate the request below using
cURL
, notice we get a401 Unauthorized
response.
curl --location 'https://localhost:7244/authbugdemo/implicit-fail' \
--header 'Content-Type: application/json' \
--header 'X-API-Key: BadAPIKey' \
--data '{
"name": "Chucky",
"description": "Child'\''s Play is an American slasher media franchise created by Don Mancini."
}'
- Initiate the request below using
cURL
, notice we get a403 Forbidden
response.
curl --location 'https://localhost:7244/authbugdemo/explicit-fail' \
--header 'Content-Type: application/json' \
--header 'X-API-Key: BadAPIKey' \
--data '{
"name": "Chucky",
"description": "Child'\''s Play is an American slasher media franchise created by Don Mancini."
}'
-
the difference between the two endpoints are their
Authorization
policy requirement handlers.The
implicit-fail
endpoint policy requirement handler doesn't callcontext.Fail
if authorization fails. however, theexplicit-fail
endpoint policy requirement handler callscontext.Fail("....")
when authorization fails. -
I have an
IAuthorizationMiddlewareResultHandler
implementation that checks if the failed requirement is of a particular type usingpolicyAuthorizationResult.AuthorizationFailure.FailedRequirements
and modifies the response status code appropriately.
unfortunately, policyAuthorizationResult.AuthorizationFailure.FailedRequirements
is always empty when we use the explicit-fail
policy requirement handler that calls context.Fail("....")
.
I don't see this behaviour documented anywhere so I assume it's a bug.
If it is an expected behaviour (this would be strange 😕), then how do we propagate the failure reason from the various policy requirement handlers to my IAuthorizationMiddlewareResultHandler
without calling context.Fail("....")
?
Exceptions (if any)
No response
.NET Version
8.0.200
Anything else?
No response