Use correct metadata interface for RequiredScopeOrAppPermission extension

evan-buss · Evan Buss · commit 4e977d9d136a · 2025-05-02T16:07:34.000-04:00
diff --git a/src/Microsoft.Identity.Web/Policy/RequiredScopeOrAppPermissionExtensions.cs b/src/Microsoft.Identity.Web/Policy/RequiredScopeOrAppPermissionExtensions.cs
@@ -45,7 +45,7 @@ public static TBuilder RequireScopeOrAppPermission<TBuilder>(this TBuilder endpo
             return endpointConventionBuilder.WithMetadata(new RequiredScopeOrAppPermissionMetadata(scope, appPermission));
         }
 
-        private sealed class RequiredScopeOrAppPermissionMetadata : IAuthRequiredScopeMetadata
+        private sealed class RequiredScopeOrAppPermissionMetadata : IAuthRequiredScopeOrAppPermissionMetadata
         {
             public RequiredScopeOrAppPermissionMetadata(string[] scope, string[] appPermission)
             {
@@ -57,6 +57,7 @@ public RequiredScopeOrAppPermissionMetadata(string[] scope, string[] appPermissi
             public string[]? AcceptedAppPermission { get; }
 
             public string? RequiredScopesConfigurationKey { get; }
+            public string? RequiredAppPermissionsConfigurationKey { get; }
         }
     }
 }
diff --git a/tests/Microsoft.Identity.Web.Test/Resource/RequiredScopeOrAppPermissionExtensionsTests.cs b/tests/Microsoft.Identity.Web.Test/Resource/RequiredScopeOrAppPermissionExtensionsTests.cs
@@ -0,0 +1,86 @@
+﻿// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using System.Security.Claims;
+using System.Threading.Tasks;
+
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Routing.Patterns;
+using Microsoft.AspNetCore.Routing;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using Microsoft.IdentityModel.Tokens;
+
+using Xunit;
+
+namespace Microsoft.Identity.Web.Test.Resource
+{
+    public class RequiredScopeOrAppPermissionExtensionsTests
+    {
+
+        private const string PolicyName = "foo";
+        private const string AppPermission = "access_as_app";
+        private const string Scope = "user.read";
+
+
+        [Fact]
+        public async Task RequireScopeOrAppPermission_WithAppPermission_SucceedsAsync()
+        {
+            // Arrange
+            var authorizationService = BuildAuthorizationService(PolicyName, null, Scope);
+
+            var user = new ClaimsPrincipal(
+                new CaseSensitiveClaimsIdentity([new Claim(ClaimConstants.Role, AppPermission)]));
+
+            var testBuilder = new TestEndpointConventionBuilder()
+                .RequireScopeOrAppPermission([], [AppPermission]);
+
+            var convention = Assert.Single(testBuilder.Conventions);
+
+            var endpointModel = new RouteEndpointBuilder((context) => Task.CompletedTask, RoutePatternFactory.Parse("/"), 0);
+            convention(endpointModel);
+            var endpoint = endpointModel.Build();
+
+            // Act
+            var allowed = await authorizationService.AuthorizeAsync(user, endpoint, PolicyName);
+
+            // Assert
+            Assert.True(allowed.Succeeded);
+        }
+
+
+        private static IAuthorizationService BuildAuthorizationService(string policy, string? appPermission, string? scope)
+        {
+            IHostBuilder hostBuilder = Host.CreateDefaultBuilder()
+                .ConfigureServices(services =>
+                {
+                    services.AddAuthorization(options =>
+                    {
+                        options.AddPolicy(policy, policyBuilder =>
+                        {
+                            policyBuilder.RequireScopeOrAppPermission(scope?.Split(' ')!, appPermission?.Split(' ')!);
+                        });
+                    });
+                    services.AddLogging();
+                    services.AddOptions();
+                    services.AddRequiredScopeOrAppPermissionAuthorization();
+                });
+
+            var provider = hostBuilder.Build().Services;
+            return provider.GetRequiredService<IAuthorizationService>();
+        }
+
+        private class TestEndpointConventionBuilder : IEndpointConventionBuilder
+        {
+            public List<Action<EndpointBuilder>> Conventions { get; } = [];
+
+            public void Add(Action<EndpointBuilder> convention)
+            {
+                Conventions.Add(convention);
+            }
+        }
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ public static TBuilder RequireScopeOrAppPermission<TBuilder>(this TBuilder endpo`
`45`	`45`	`return endpointConventionBuilder.WithMetadata(new RequiredScopeOrAppPermissionMetadata(scope, appPermission));`
`46`	`46`	`}`
`47`	`47`
`48`		`- private sealed class RequiredScopeOrAppPermissionMetadata : IAuthRequiredScopeMetadata`
	`48`	`+ private sealed class RequiredScopeOrAppPermissionMetadata : IAuthRequiredScopeOrAppPermissionMetadata`
`49`	`49`	`{`
`50`	`50`	`public RequiredScopeOrAppPermissionMetadata(string[] scope, string[] appPermission)`
`51`	`51`	`{`
`@@ -57,6 +57,7 @@ public RequiredScopeOrAppPermissionMetadata(string[] scope, string[] appPermissi`
`57`	`57`	`public string[]? AcceptedAppPermission { get; }`
`58`	`58`
`59`	`59`	`public string? RequiredScopesConfigurationKey { get; }`
	`60`	`+ public string? RequiredAppPermissionsConfigurationKey { get; }`
`60`	`61`	`}`
`61`	`62`	`}`
`62`	`63`	`}`