Skip to content

Add OnBeforeAuthHeaderCreation / OnAfterAuthHeaderCreation hooks to DownstreamApi#3942

Merged
gladjohn merged 1 commit into
masterfrom
nebharg/fix-customizerequest-header-ordering
Jul 14, 2026
Merged

Add OnBeforeAuthHeaderCreation / OnAfterAuthHeaderCreation hooks to DownstreamApi#3942
gladjohn merged 1 commit into
masterfrom
nebharg/fix-customizerequest-header-ordering

Conversation

@neha-bhargava

@neha-bhargava neha-bhargava commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Targets 4.13.2. Builds on the regression fix from #3943 (already merged).

What

Adds explicit request-customization hooks to DownstreamApi, consuming the new AuthorizationHeaderProviderOptions members from Microsoft.Identity.Abstractions 12.5.0 (AzureAD/microsoft-identity-abstractions-for-dotnet#262):

  • OnBeforeAuthHeaderCreation — runs before the header is created/signed. Use it to shape the request that a request-binding protocol signs (SignedHttpRequest q/h/b), so the signature covers the finalized request.
  • OnAfterAuthHeaderCreation — runs after the header is attached. The pre-existing CustomizeHttpRequestMessage is still invoked at the same point for backwards compatibility (both run; distinct hooks).

Both hooks are propagated through MicrosoftIdentityMessageHandler.

Also

BaseAuthorizationHeaderProvider and DefaultAuthorizationHeaderProvider declare IAuthorizationHeaderProvider2 only (it already extends IAuthorizationHeaderProvider), and the Base provider's delegate field is typed IAuthorizationHeaderProvider2 to avoid upcasting.

Tests

  • Flow test shapes the flowed request via OnBeforeAuthHeaderCreation (asserting it reaches the provider before signing).
  • Lifecycle test: OnBefore sees no header (runs before); OnAfter and CustomizeHttpRequestMessage both observe it.
  • with SHR / without SHR tests asserting the Authorization header is created and attached in both cases.
  • Full suite: 1036 passed / 4 skipped / 0 failed.

Depends on

AzureAD/microsoft-identity-abstractions-for-dotnet#262 (Abstractions 12.5.0) — the Abstractions package floor bump is pending its release.

@neha-bhargava neha-bhargava requested a review from a team as a code owner July 13, 2026 21:59
@neha-bhargava neha-bhargava force-pushed the nebharg/fix-customizerequest-header-ordering branch 2 times, most recently from 937c07e to 3150be1 Compare July 13, 2026 22:07
Comment thread src/Microsoft.Identity.Web.TokenAcquisition/BaseAuthorizationHeaderProvider.cs Outdated
@neha-bhargava neha-bhargava force-pushed the nebharg/fix-customizerequest-header-ordering branch from 3150be1 to fc2f715 Compare July 13, 2026 22:46
@neha-bhargava neha-bhargava changed the title Fix DownstreamApi CustomizeHttpRequestMessage null Authorization header Add OnBefore/OnAfterAuthHeaderCreation hooks; restore CustomizeHttpRequestMessage timing Jul 13, 2026
@neha-bhargava neha-bhargava force-pushed the nebharg/fix-customizerequest-header-ordering branch from fc2f715 to d39f979 Compare July 14, 2026 04:40
@neha-bhargava neha-bhargava changed the title Add OnBefore/OnAfterAuthHeaderCreation hooks; restore CustomizeHttpRequestMessage timing Add OnBeforeAuthHeaderCreation / OnAfterAuthHeaderCreation hooks to DownstreamApi Jul 14, 2026
@neha-bhargava neha-bhargava changed the base branch from master to nebharg/fix-customizehttprequestmessage-regression July 14, 2026 04:40
@neha-bhargava neha-bhargava force-pushed the nebharg/fix-customizerequest-header-ordering branch from d39f979 to 83999d9 Compare July 14, 2026 05:02
Comment thread src/Microsoft.Identity.Web.DownstreamApi/DownstreamApi.cs
bgavrilMS
bgavrilMS previously approved these changes Jul 14, 2026
Base automatically changed from nebharg/fix-customizehttprequestmessage-regression to master July 14, 2026 10:36
@bgavrilMS bgavrilMS dismissed their stale review July 14, 2026 10:36

The base branch was changed.

@neha-bhargava neha-bhargava force-pushed the nebharg/fix-customizerequest-header-ordering branch 3 times, most recently from 19da5e1 to 022f5fc Compare July 14, 2026 17:18
…ownstreamApi

Honor the new AuthorizationHeaderProviderOptions hooks from
Microsoft.Identity.Abstractions 12.5.0:

- OnBeforeAuthHeaderCreation runs before the authorization header is created and
  signed, so callers can shape the request that request-binding protocols
  (SignedHttpRequest q/h/b) sign, ensuring the signature covers the finalized
  request.
- OnAfterAuthHeaderCreation runs after the header is attached. The pre-existing
  CustomizeHttpRequestMessage is still invoked at the same point for backwards
  compatibility.

Both hooks are propagated through MicrosoftIdentityMessageHandler.

Also declare IAuthorizationHeaderProvider2 only on the Base/Default header
providers (it already extends IAuthorizationHeaderProvider), and type the
Base provider's delegate field as IAuthorizationHeaderProvider2 to avoid
upcasting at the metadata delegation sites.

Stacked on the regression fix (#3943).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@neha-bhargava neha-bhargava force-pushed the nebharg/fix-customizerequest-header-ordering branch from 96929f4 to 0517cbb Compare July 14, 2026 22:35
@gladjohn gladjohn merged commit 169ba33 into master Jul 14, 2026
8 checks passed
@gladjohn gladjohn deleted the nebharg/fix-customizerequest-header-ordering branch July 14, 2026 23:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants