Restore CustomizeHttpRequestMessage to run after the authorization header#3943
Open
neha-bhargava wants to merge 1 commit into
Open
Restore CustomizeHttpRequestMessage to run after the authorization header#3943neha-bhargava wants to merge 1 commit into
neha-bhargava wants to merge 1 commit into
Conversation
…ader CustomizeHttpRequestMessage is documented to run after the message is formed, including the Authorization header, and just before it is sent. #3902 moved it before authorization-header creation (to flow the finalized request for request-binding), which regressed callers that read the header in the callback - they saw a null Authorization header. This moves only the CustomizeHttpRequestMessage invocation back to after the header is set, leaving the request-flow plumbing (options material + SetHttpRequestMessage) untouched. Adds a regression test asserting the callback observes the Authorization header. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
5de5090 to
9f8e174
Compare
neha-bhargava
added a commit
that referenced
this pull request
Jul 14, 2026
…ownstreamApi Honor the new AuthorizationHeaderProviderOptions hooks from Microsoft.Identity.Abstractions 12.5.0: - OnBeforeAuthHeaderCreation runs before the authorization header is created and signed, so callers can shape the request that request-binding protocols (SignedHttpRequest q/h/b) sign, ensuring the signature covers the finalized request. - OnAfterAuthHeaderCreation runs after the header is attached, alongside CustomizeHttpRequestMessage. Also declare IAuthorizationHeaderProvider2 only on the Base/Default header providers (it already extends IAuthorizationHeaderProvider). Stacked on the regression fix (#3943). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
neha-bhargava
added a commit
that referenced
this pull request
Jul 14, 2026
…ownstreamApi Honor the new AuthorizationHeaderProviderOptions hooks from Microsoft.Identity.Abstractions 12.5.0: - OnBeforeAuthHeaderCreation runs before the authorization header is created and signed, so callers can shape the request that request-binding protocols (SignedHttpRequest q/h/b) sign, ensuring the signature covers the finalized request. Also propagated through MicrosoftIdentityMessageHandler. - OnAfterAuthHeaderCreation runs after the header is attached. It is a symmetric alias of the pre-existing CustomizeHttpRequestMessage (same delegate), so the "after" callback is invoked exactly once. Also declare IAuthorizationHeaderProvider2 only on the Base/Default header providers (it already extends IAuthorizationHeaderProvider). Stacked on the regression fix (#3943). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
pmaytak
approved these changes
Jul 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
CustomizeHttpRequestMessageis documented to run after the message is formed — "including the Authorization header, and just before the message is sent." #3902 moved it before authorization-header creation (to flow the finalized request for request-binding), which violated that contract and regressed callers that read the header in the callback — they saw anullAuthorizationheader.Fix
Move only the
CustomizeHttpRequestMessageinvocation back to after the header is set. The request-flow plumbing that #3902/request-binding relies on (options material applied before header creation +SetHttpRequestMessage) is left untouched, so this is a minimal, targeted regression fix.Test
Adds
UpdateRequestAsync_CustomizeHttpRequestMessage_SeesAuthorizationHeaderAsync, asserting the callback observes theAuthorizationheader. Also updated the existing flow test, which had asserted the callback flowed to the provider (no longer true now that it runs after).Notes
OnBeforeAuthHeaderCreation/OnAfterAuthHeaderCreationhooks (Abstractions Add OnBeforeAuthHeaderCreation / OnAfterAuthHeaderCreation hooks microsoft-identity-abstractions-for-dotnet#262) so request-binding callers can shape the signed request without overloadingCustomizeHttpRequestMessage.