Flow finalized DownstreamApi request before authorization header creation#3902
Merged
Conversation
4gust
approved these changes
Jul 1, 2026
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
bgavrilMS
force-pushed
the
bgavril/mise-shr-request-ordering
branch
from
July 1, 2026 11:07
c4dca5e to
45ff3be
Compare
gladjohn
reviewed
Jul 1, 2026
gladjohn
approved these changes
Jul 1, 2026
Verifies that reserved header names supplied via ExtraHeaderParameters remain skipped both on the request flowed to the authorization header provider and on the final outgoing request, ensuring the request-ordering change did not alter the reserved/duplicate-skip semantics. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
gladjohn
approved these changes
Jul 1, 2026
This was referenced Jul 3, 2026
Closed
This was referenced Jul 13, 2026
Closed
neha-bhargava
added a commit
that referenced
this pull request
Jul 13, 2026
…questMessage timing DownstreamApi now honors the new AuthorizationHeaderProviderOptions hooks from Microsoft.Identity.Abstractions 12.5.0: - OnBeforeAuthHeaderCreation runs before the authorization header is created and signed, so callers can shape the request that request-binding protocols (SignedHttpRequest q/h/b) sign, ensuring the signature covers the finalized request. This replaces the pre-signing role #3902 had overloaded onto CustomizeHttpRequestMessage. - OnAfterAuthHeaderCreation runs after the header is attached. CustomizeHttpRequestMessage is restored to its documented timing (after the Authorization header is set, just before send). #3902 had moved it before header creation, regressing callers - e.g. reading the header in the callback saw null. Also declare IAuthorizationHeaderProvider2 only on Base/Default header providers (it already extends IAuthorizationHeaderProvider). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
neha-bhargava
added a commit
that referenced
this pull request
Jul 14, 2026
…ader CustomizeHttpRequestMessage is documented to run after the message is formed, including the Authorization header, and just before it is sent. #3902 moved it before authorization-header creation (to flow the finalized request for request-binding), which regressed callers that read the header in the callback - they saw a null Authorization header. This moves only the CustomizeHttpRequestMessage invocation back to after the header is set, leaving the request-flow plumbing (options material + SetHttpRequestMessage) untouched. Adds a regression test asserting the callback observes the Authorization header. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
bgavrilMS
pushed a commit
that referenced
this pull request
Jul 14, 2026
…ader (#3943) CustomizeHttpRequestMessage is documented to run after the message is formed, including the Authorization header, and just before it is sent. #3902 moved it before authorization-header creation (to flow the finalized request for request-binding), which regressed callers that read the header in the callback - they saw a null Authorization header. This moves only the CustomizeHttpRequestMessage invocation back to after the header is set, leaving the request-flow plumbing (options material + SetHttpRequestMessage) untouched. Adds a regression test asserting the callback observes the Authorization header. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This was referenced Jul 14, 2026
Closed
Closed
Closed
Closed
Open
Open
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Context
This supports MISE outbound SHR q/h/b signing by ensuring request-binding authorization providers receive the same HTTP request state that will be sent on the wire.