Skip to content

Restore CustomizeHttpRequestMessage to run after the authorization header#3943

Open
neha-bhargava wants to merge 1 commit into
masterfrom
nebharg/fix-customizehttprequestmessage-regression
Open

Restore CustomizeHttpRequestMessage to run after the authorization header#3943
neha-bhargava wants to merge 1 commit into
masterfrom
nebharg/fix-customizehttprequestmessage-regression

Conversation

@neha-bhargava

Copy link
Copy Markdown
Contributor

Problem

CustomizeHttpRequestMessage is documented to run after the message is formed — "including the Authorization header, and just before the message is sent." #3902 moved it before authorization-header creation (to flow the finalized request for request-binding), which violated that contract and regressed callers that read the header in the callback — they saw a null Authorization header.

Fix

Move only the CustomizeHttpRequestMessage invocation back to after the header is set. The request-flow plumbing that #3902/request-binding relies on (options material applied before header creation + SetHttpRequestMessage) is left untouched, so this is a minimal, targeted regression fix.

Test

Adds UpdateRequestAsync_CustomizeHttpRequestMessage_SeesAuthorizationHeaderAsync, asserting the callback observes the Authorization header. Also updated the existing flow test, which had asserted the callback flowed to the provider (no longer true now that it runs after).

Notes

@neha-bhargava neha-bhargava requested a review from a team as a code owner July 14, 2026 04:35
…ader

CustomizeHttpRequestMessage is documented to run after the message is formed,
including the Authorization header, and just before it is sent. #3902 moved it
before authorization-header creation (to flow the finalized request for
request-binding), which regressed callers that read the header in the callback -
they saw a null Authorization header.

This moves only the CustomizeHttpRequestMessage invocation back to after the
header is set, leaving the request-flow plumbing (options material +
SetHttpRequestMessage) untouched. Adds a regression test asserting the callback
observes the Authorization header.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@neha-bhargava neha-bhargava force-pushed the nebharg/fix-customizehttprequestmessage-regression branch from 5de5090 to 9f8e174 Compare July 14, 2026 04:35
neha-bhargava added a commit that referenced this pull request Jul 14, 2026
…ownstreamApi

Honor the new AuthorizationHeaderProviderOptions hooks from
Microsoft.Identity.Abstractions 12.5.0:

- OnBeforeAuthHeaderCreation runs before the authorization header is created and
  signed, so callers can shape the request that request-binding protocols
  (SignedHttpRequest q/h/b) sign, ensuring the signature covers the finalized
  request.
- OnAfterAuthHeaderCreation runs after the header is attached, alongside
  CustomizeHttpRequestMessage.

Also declare IAuthorizationHeaderProvider2 only on the Base/Default header
providers (it already extends IAuthorizationHeaderProvider).

Stacked on the regression fix (#3943).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
neha-bhargava added a commit that referenced this pull request Jul 14, 2026
…ownstreamApi

Honor the new AuthorizationHeaderProviderOptions hooks from
Microsoft.Identity.Abstractions 12.5.0:

- OnBeforeAuthHeaderCreation runs before the authorization header is created and
  signed, so callers can shape the request that request-binding protocols
  (SignedHttpRequest q/h/b) sign, ensuring the signature covers the finalized
  request. Also propagated through MicrosoftIdentityMessageHandler.
- OnAfterAuthHeaderCreation runs after the header is attached. It is a symmetric
  alias of the pre-existing CustomizeHttpRequestMessage (same delegate), so the
  "after" callback is invoked exactly once.

Also declare IAuthorizationHeaderProvider2 only on the Base/Default header
providers (it already extends IAuthorizationHeaderProvider).

Stacked on the regression fix (#3943).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants