Support AuthorizationPolicy and IAuthorizationRequirementData endpoint metadata everywhere not just AuthorizationMiddlewareΒ #63365
Description
#41153 and #44342 added support for AuthorizationPolicy and IAuthorizationRequirementData as endpoint metadata, but only if the policy is evaluated by AuthorizationMiddleware despite the // IMPORTANT: Changes to authorization logic should be mirrored in MVC's AuthorizeFilter comment at the top of the method.
It's not just MVC and Razor Pages that's inconsistent here though. SignalR (DefaultHubDispatcher.IsHubMethodAuthorized) and Blazor (AuthorizeViewCore.IsAuthorizedAsync) also make similar authorization decisions to the AuthorizationMiddleware but completely ignore any AuthorizationPolicy or IAuthorizationRequirementData instances specified as metadata.
Given the complexity this adds to making authentication decisions, I wonder if we should add a higher level authz API that takes all the metadata associated with the endpoint and returns an effective policy. This would also be helpful outside of the aspnetcore repo. https://github.com/modelcontextprotocol/csharp-sdk could leverage this for example.
# Microsoft.AspNetCore.Authorization.dll
namespace Microsoft.AspNetCore.Authorization;
public class AuthorizationPolicy
{
public static async Task<AuthorizationPolicy?> CombineAsync(IAuthorizationPolicyProvider policyProvider,
IEnumerable<IAuthorizeData> authorizeData,
IEnumerable<AuthorizationPolicy> policies);
+ public static async Task<AuthorizationPolicy?> CombineAsync(IAuthorizationPolicyProvider policyProvider,
+ IEnumerable<object> endpointMetadata);
}