Edit

ASP0025: Use AddAuthorizationBuilder to register authorization services and construct policies.

  • Article
Value
Rule ID ASP0025
Category Usage
Fix is breaking or non-breaking Non-breaking

Cause

The use of AddAuthorization can be converted to the new AddAuthorizationBuilder.

Rule description

Use AddAuthorizationBuilder to register authorization services and construct policies.

How to fix violations

To fix a violation of this rule, replace the usage of AddAuthorization with AddAuthorizationBuilder.

The code fix converts any usage of the setters for the following properties of AuthorizationOptions:

These setter usages are converted to equivalent method calls on AuthorizationBuilder:

No diagnostic is reported when the configure action passed to AddAuthorization uses any of the following members of AuthorizationOptions:

AuthorizationBuilder doesn't have equivalents for these members of AuthorizationOptions, so they can't be converted.

No diagnostic is reported if the configure action passed to AddAuthorization contains operations unrelated to AuthorizationOptions. The code fix would not be able to automatically map unrelated operations to the fluent API of AddAuthorizationBuilder.

The following example shows code that triggers this diagnostic:

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("AtLeast21", policy =>
        policy.Requirements.Add(new MinimumAgeRequirement(21)));
});

var app = builder.Build();

app.UseAuthorization();

app.Run();

The following example shows the result of applying the code fix:

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddAuthorizationBuilder()
  .AddPolicy("AtLeast21", policy =>
  {
        policy.Requirements.Add(new MinimumAgeRequirement(21)));
  });

var app = builder.Build();

app.UseAuthorization();

app.Run();

When to suppress warnings

The severity level of this diagnostic is Information. Suppress warnings if you don't want to use the new syntax.