Authorization: Resource in endpoint routing is HttpContext

When using endpoint routing in ASP.NET Core 3.1, the resource used for authorization is the endpoint. This approach was insufficient for gaining access to the route data (RouteData). Previously in MVC, an HttpContext resource was passed in, which allows access to both the endpoint (Endpoint) and the route data. This change ensures that the resource passed to authorization is always the HttpContext.

Version introduced

5.0 Preview 7

Old behavior

When using endpoint routing and the authorization middleware (AuthorizationMiddleware) or [Authorize] attributes, the resource passed to authorization is the matching endpoint.

New behavior

Endpoint routing passes the HttpContext to authorization.

Reason for change

You can get to the endpoint from the HttpContext. However, there was no way to get from the endpoint to things like the route data. There was a loss in functionality from non-endpoint routing.

If your app uses the endpoint resource, call GetEndpoint on the HttpContext to continue accessing the endpoint.

In ASP.NET Core 5.0 Preview 8 and later, you can revert to the old behavior with SetSwitch. For example:

AppContext.SetSwitch(
    "Microsoft.AspNetCore.Authorization.SuppressUseHttpContextAsAuthorizationResource",
    isEnabled: true);

Affected APIs

None