Skip to content

Flow finalized DownstreamApi request before authorization header creation#3902

Merged
4gust merged 3 commits into
masterfrom
bgavril/mise-shr-request-ordering
Jul 1, 2026
Merged

Flow finalized DownstreamApi request before authorization header creation#3902
4gust merged 3 commits into
masterfrom
bgavril/mise-shr-request-ordering

Conversation

@bgavrilMS

Copy link
Copy Markdown
Member

Summary

  • finalize DownstreamApi request headers, query parameters, content, and customizations before creating the authorization header
  • keep Authorization added after signing so request-binding providers do not include it in their signed material
  • add coverage that the authorization provider sees the final request state

Context

This supports MISE outbound SHR q/h/b signing by ensuring request-binding authorization providers receive the same HTTP request state that will be sent on the wire.

@bgavrilMS
bgavrilMS requested a review from a team as a code owner June 30, 2026 10:25
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@bgavrilMS
bgavrilMS force-pushed the bgavril/mise-shr-request-ordering branch from c4dca5e to 45ff3be Compare July 1, 2026 11:07
Verifies that reserved header names supplied via ExtraHeaderParameters remain
skipped both on the request flowed to the authorization header provider and
on the final outgoing request, ensuring the request-ordering change did not
alter the reserved/duplicate-skip semantics.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@4gust
4gust merged commit b192389 into master Jul 1, 2026
4 checks passed
@4gust
4gust deleted the bgavril/mise-shr-request-ordering branch July 1, 2026 13:19
This was referenced Jul 3, 2026
neha-bhargava added a commit that referenced this pull request Jul 13, 2026
…questMessage timing

DownstreamApi now honors the new AuthorizationHeaderProviderOptions hooks from
Microsoft.Identity.Abstractions 12.5.0:

- OnBeforeAuthHeaderCreation runs before the authorization header is created and
  signed, so callers can shape the request that request-binding protocols
  (SignedHttpRequest q/h/b) sign, ensuring the signature covers the finalized
  request. This replaces the pre-signing role #3902 had overloaded onto
  CustomizeHttpRequestMessage.
- OnAfterAuthHeaderCreation runs after the header is attached.

CustomizeHttpRequestMessage is restored to its documented timing (after the
Authorization header is set, just before send). #3902 had moved it before header
creation, regressing callers - e.g. reading the header in the callback saw null.

Also declare IAuthorizationHeaderProvider2 only on Base/Default header providers
(it already extends IAuthorizationHeaderProvider).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
neha-bhargava added a commit that referenced this pull request Jul 14, 2026
…ader

CustomizeHttpRequestMessage is documented to run after the message is formed,
including the Authorization header, and just before it is sent. #3902 moved it
before authorization-header creation (to flow the finalized request for
request-binding), which regressed callers that read the header in the callback -
they saw a null Authorization header.

This moves only the CustomizeHttpRequestMessage invocation back to after the
header is set, leaving the request-flow plumbing (options material +
SetHttpRequestMessage) untouched. Adds a regression test asserting the callback
observes the Authorization header.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
bgavrilMS pushed a commit that referenced this pull request Jul 14, 2026
…ader (#3943)

CustomizeHttpRequestMessage is documented to run after the message is formed,
including the Authorization header, and just before it is sent. #3902 moved it
before authorization-header creation (to flow the finalized request for
request-binding), which regressed callers that read the header in the callback -
they saw a null Authorization header.

This moves only the CustomizeHttpRequestMessage invocation back to after the
header is set, leaving the request-flow plumbing (options material +
SetHttpRequestMessage) untouched. Adds a regression test asserting the callback
observes the Authorization header.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This was referenced Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants