Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: #154 AddProtectedWebApiCallProtectedWebApi overwrites handler #155

Merged
merged 2 commits into from
May 11, 2020
Merged

fix: #154 AddProtectedWebApiCallProtectedWebApi overwrites handler #155

merged 2 commits into from
May 11, 2020

Conversation

jg11jg
Copy link
Contributor

@jg11jg jg11jg commented May 11, 2020
edited
Loading

Code now preserves existing event handler when registering OnTokenValidated event handler in AddProtectedWebApiCallsProtectedWebApi. Previous code was overwriting existing event handler meaning that logging via JwtBearerMiddlewareDiagnostics would no longer work and perhaps more seriously the OnTokenValidated event handler registered in AddProtectedWebApi (intended to "ensure that the Web API only accepts tokens from tenants where it has been consented and provisioned.")

#154

@jg11jg
fix: AddPr..WebApiCallPr..WebApi overwrites existing OnTokenValidated…
935deae 
… event handler AzureAD#154

Preserving existing event hander when registering OnTokenValidated event handler in AddProtectedWebApiCallsProtectedWebApi.  Previous code was overwriting existing event handler meaning that logging via JwtBearerMiddlewareDiagnostics would no longer work and perhaps more seriously the OnTokenValidated event handler registered in AddProtectedWebApi (intended to "This check is required to ensure that the Web API only accepts tokens from tenants where it has been consented and provisioned.")

AzureAD#154
@jmprieur
Copy link
Collaborator

Thanks @jg11jg. Good catch!
I think that the previous event should be called before storing the token

jmprieur
jmprieur reviewed May 11, 2020
View reviewed changes
Copy link
Collaborator

@jmprieur jmprieur left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for raising @jg11jg
I would propose to move the call to the previous handler before storing the token

src/Microsoft.Identity.Web/WebApiServiceCollectionExtensions.cs Outdated Show resolved Hide resolved
@jmprieur jmprieur requested review from jennyf19 and pmaytak May 11, 2020 07:25
pmaytak
pmaytak reviewed May 11, 2020
View reviewed changes
Copy link
Contributor

@pmaytak pmaytak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jg11jg Thanks for catching this.

src/Microsoft.Identity.Web/WebApiServiceCollectionExtensions.cs
Comment on lines 125 to 129
options.Events ??= new JwtBearerEvents();

var onTokenValidatedHandler = options.Events.OnTokenValidated;

options.Events.OnTokenValidated = async context =>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jmprieur Related to your suggestion we can just += our handler to the existing ones, right?

Suggested change
options.Events ??= new JwtBearerEvents();
var onTokenValidatedHandler = options.Events.OnTokenValidated;
options.Events.OnTokenValidated = async context =>
options.Events ??= new JwtBearerEvents();
options.Events.OnTokenValidated += async context =>

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

possibly but the convention within the rest of the library is to do it as I originally did it (in fact I have used exactly the same variable names to be consistent with the "house style". e.g:

microsoft-identity-web/src/Microsoft.Identity.Web/WebAppServiceCollectionExtensions.cs

Line 175 in d8608bb

var onTokenValidatedHandler = options.Events.OnTokenValidated;
)

Possibly the += syntax requires null checks or similar? Also in the *MiddlewareDiagnostics classes += is not used. So I (personally) would stick with "house style" (or change it everywhere if += truly better).

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with @jg11jg, we should keep things consistent. I would leave as-is and we can update things later if we want.

@jennyf19 @jmprieur
Update src/Microsoft.Identity.Web/WebApiServiceCollectionExtensions.cs
0fd3bb2 
Co-authored-by: Jean-Marc Prieur <jmprieur@microsoft.com>
@jennyf19
Copy link
Collaborator

Thanks @jg11jg will merge this in. @jmprieur @pmaytak we can look into adding a unit test for this.

@jennyf19 jennyf19 merged commit f7bc0f4 into AzureAD:master May 11, 2020
@jennyf19 jennyf19 added this to the 0.1.3-preview milestone May 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pmaytak pmaytak pmaytak left review comments

@jennyf19 jennyf19 jennyf19 approved these changes

@jmprieur jmprieur jmprieur left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.1.3-preview
Development

Successfully merging this pull request may close these issues.
4 participants
@jg11jg @jmprieur @jennyf19 @pmaytak