Authorization: Resource in endpoint routing is HttpContext
When using endpoint routing in ASP.NET Core 3.1, the resource used for authorization is the endpoint. This approach was insufficient for gaining access to the route data (RouteData). Previously in MVC, an HttpContext resource was passed in, which allows access to both the endpoint (Endpoint) and the route data. This change ensures that the resource passed to authorization is always the HttpContext.
Version introduced
ASP.NET Core 5.0
Old behavior
When using endpoint routing and the authorization middleware (AuthorizationMiddleware) or [Authorize] attributes, the resource passed to authorization is the matching endpoint.
New behavior
Endpoint routing passes the HttpContext to authorization.
Reason for change
You can get to the endpoint from the HttpContext. However, there was no way to get from the endpoint to things like the route data. There was a loss in functionality from non-endpoint routing.
Recommended action
If your app uses the endpoint resource, call GetEndpoint on the HttpContext to continue accessing the endpoint.
You can revert to the old behavior with SetSwitch. For example:
AppContext.SetSwitch(
"Microsoft.AspNetCore.Authorization.SuppressUseHttpContextAsAuthorizationResource",
isEnabled: true);
Affected APIs
None
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for