Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

.NET 7 UseAuthentication and UserAuthorization ordering not respected when within UseWhen

See original GitHub issue

Is there an existing issue for this?

I have searched the existing issues

Describe the bug

When configuring my WebApplication I make use of a UseWhen statement so that auth logic is only applied to endpoints with a specific base path.

This worked with ASP.NET Core 6.0 but with 7.0 there are two problems:

Auth is applied to all endpoints.
Auth middleware runs before all other middleware.

I believe this to be caused by the new 7.0 feature that automatically calls UseAuthentication and UseAuthorization when AddAuthentication / AddAuthorization are called. I see there is code in place to prevent this if it is detected that UseAuthentication / UseAuthentication have already been called, but this does not appear to take UseWhen into account.

Expected Behavior

Auth middleware is not inserted when already inserted within a UseWhen statement.

Steps To Reproduce

app.UseWhen(
    httpContext => httpContext.Request.Path.StartsWithSegments("/api"),
    subApp =>
    {
        subApp.UseAuthentication();
        subApp.UseAuthorization();
    });

Exceptions (if any)

No response

.NET Version

7.0.203

Anything else?

No response

Issue Analytics

State:
Created 5 months ago
Reactions:1
Comments:10 (8 by maintainers)

Top GitHub Comments

2reactions

Tratchercommented, May 9, 2023

Yes, we should see what we can do to improve this.

0reactions

msftbot[bot]commented, May 10, 2023

Thanks for contacting us.

We’re moving this issue to the .NET 8 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s). If we later determine, that the issue has no community involvement, or it’s very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.