C#•3y ago

✅ Put `[Authorize("myPolicy")]` behind feature flag

Greetings,

I'm currently working on authentication and authorization for an API that is already deployed to a couple of customers. The whole auth process sits behind a feature flag using the MS

IFeatureManager

IFeatureManager

IFeatureManager

IFeatureManager, so that the API can be deployed completely without auth and once more downtime is possible from customers side auth shall be activated by enabling this feature.

I have pretty much all covered by the feature flag, but I don't know how I can conditionally apply the

[Authorize("myPolicy")]

[Authorize("myPolicy")]

[Authorize("myPolicy")]

[Authorize("myPolicy")] on my api endpoints.
If the feature is disabled I don't even register any auth related services or middlewares.

Pobiega•10/24/23, 9:24 AM

you can't conditionally apply an attribute, as they are compile time metadata

Pobiega•10/24/23, 9:25 AM

but if as you say the feature is disabled there are no auth middlewares, doesnt it still work?

Dr_Cox1911OP•10/24/23, 10:20 AM

Unfortunately it doesn't work, as I don't even register any services and middleware if the feature is disabled. I get an exception that the auth metadata is defined but no app.UseAuthorization()app.UseAuthorization() call is made.

Pobiega•10/24/23, 10:20 AM

Ah, thats unfortunate.

Pobiega•10/24/23, 10:21 AM

The recommended approach seems to be to make your policies conditional

Pobiega•10/24/23, 10:22 AM

ie,

.AddAuthorization(x =>
{
    // _env is of type IHostingEnvironment, which you can inject in
    // the ctor of Startup
    if (_env.IsDevelopment())
    {
        x.DefaultPolicy = new AuthorizationPolicyBuilder().Build();
    }
});

.AddAuthorization(x =>
{
    // _env is of type IHostingEnvironment, which you can inject in
    // the ctor of Startup
    if (_env.IsDevelopment())
    {
        x.DefaultPolicy = new AuthorizationPolicyBuilder().Build();
    }
});

Pobiega•10/24/23, 10:22 AM

replace that if with your feature toggle check

Pobiega•10/24/23, 10:23 AM

replacing all your policies with "blank" policies

Dr_Cox1911OP•10/24/23, 11:42 AM

That doesn't work either unfortunately, I get AuthorizationPolicy must have at least one requirement.AuthorizationPolicy must have at least one requirement.

Pobiega•10/24/23, 11:43 AM

x.DefaultPolicy = new AuthorizationPolicyBuilder()
                .RequireAssertion(_ => true)
                .Build();

x.DefaultPolicy = new AuthorizationPolicyBuilder()
                .RequireAssertion(_ => true)
                .Build();

Pobiega•10/24/23, 11:43 AM

there you go

Dr_Cox1911OP•10/24/23, 12:01 PM

Thanks! It works! I had to get a custom IAuthorizationPolicyProviderIAuthorizationPolicyProvider alongside your solution to support AuthorizeAuthorize attributes with policies that I don't have defined when the feature is disabled. Works like a charm now

Pobiega•10/24/23, 12:04 PM

✅ Put `[Authorize("myPolicy")]` behind feature flag

Similar Threads

Similar Threads

Similar Threads