You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add OnBeforeAuthHeaderCreation / OnAfterAuthHeaderCreation hooks to DownstreamApi
Honor the new AuthorizationHeaderProviderOptions hooks from
Microsoft.Identity.Abstractions 12.5.0:
- OnBeforeAuthHeaderCreation runs before the authorization header is created and
signed, so callers can shape the request that request-binding protocols
(SignedHttpRequest q/h/b) sign, ensuring the signature covers the finalized
request.
- OnAfterAuthHeaderCreation runs after the header is attached. The pre-existing
CustomizeHttpRequestMessage is still invoked at the same point for backwards
compatibility.
Both hooks are propagated through MicrosoftIdentityMessageHandler.
Also declare IAuthorizationHeaderProvider2 only on the Base/Default header
providers (it already extends IAuthorizationHeaderProvider), and type the
Base provider's delegate field as IAuthorizationHeaderProvider2 to avoid
upcasting at the metadata delegation sites.
Stacked on the regression fix (#3943).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copy file name to clipboardExpand all lines: changelog.md
+6Lines changed: 6 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,6 +3,12 @@
3
3
### Bug fixes
4
4
-`DownstreamApi`: restored `CustomizeHttpRequestMessage` to its documented timing — it runs after the authorization header (including the `Authorization` header) is set, just before the request is sent. [#3902](https://github.com/AzureAD/microsoft-identity-web/pull/3902) had moved it before header creation (to flow the finalized request for request-binding), which regressed callers that read the header in the callback — they saw `null`. See [#3943](https://github.com/AzureAD/microsoft-identity-web/pull/3943).
5
5
6
+
### New features
7
+
-`DownstreamApi` now honors the new `AuthorizationHeaderProviderOptions.OnBeforeAuthHeaderCreation` and `OnAfterAuthHeaderCreation` hooks (`Microsoft.Identity.Abstractions` 12.5.0). `OnBeforeAuthHeaderCreation` runs before the header is created — use it to shape the request that request-binding protocols (SignedHttpRequest `q`/`h`/`b`) sign — and `OnAfterAuthHeaderCreation` runs after the header is set, to observe or adjust the finalized request. See [#3942](https://github.com/AzureAD/microsoft-identity-web/pull/3942).
8
+
9
+
### Fundamentals
10
+
-`BaseAuthorizationHeaderProvider` and `DefaultAuthorizationHeaderProvider` declare `IAuthorizationHeaderProvider2` only, since it already extends `IAuthorizationHeaderProvider`. See [#3942](https://github.com/AzureAD/microsoft-identity-web/pull/3942).
0 commit comments