Skip to content

Minimal API RequiredScopeOrAppPermission Extension Method Doesn't Work #3323

New issue
New issue
Closed
#3352
Closed
Minimal API RequiredScopeOrAppPermission Extension Method Doesn't Work#3323
#3352
Labels
P2bugSomething isn't workinggood first issueGood for newcomerswork-around-available
@evan-buss

Description

@evan-buss
evan-buss
opened on Apr 7, 2025

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

3.8.2

Web app

Not Applicable

Web API

Protected web APIs (validating scopes/roles)

Token cache serialization

Not Applicable

Description

Using the extension method .RequireScopeOrAppPermission() on a minimal API endpoint doesn't seem to work. The documentation states this extension method is the imperative version of the [RequiredScopeOrAppPermission] attribute..

Internally, it applies RequiredScopeOrAppPermissionMetadata to the endpoint. I see that the RequiredScopeOrAppPermissionMetadata implements IAuthRequiredScopeMetadata whereas the attribute implements IAuthRequiredScopeOrAppPermissionMetadata.

The ScopeOrAppPermissionAuthorizationHandler looks for the IAuthRequiredScopeOrAppPermissionMetadata which is never found when using the extension method since it implements the wrong interface.

My temporary workaround is to create my own extension method that instantiates the attribute since it uses the correct interface.

public static IEndpointConventionBuilder RequirePermissions(
    this IEndpointConventionBuilder builder,
    string[] acceptedScopes,
    string[] acceptedRoles
)
{
    return builder.WithMetadata(new RequiredScopeOrAppPermissionAttribute(acceptedScopes, acceptedRoles));
}

Reproduction steps

  1. Create a project that uses Microsoft.Identity.Web and set up an Entra App Registration with app permissions (roles).
  2. Add a protected endpoint using .RequireScopeOrAppPermission().
  3. Generate an access token
  4. Attempt to access the protected endpoint with your valid access token.

Error message

No response

Id Web logs

No response

Relevant code snippets

app.MapGet("/test", () => "It, works!")
  .RequireAuthorization()
  .RequireScopeOrAppPermission(["User.Test"], ["App.Test"]);

Regression

No response

Expected behavior

Using the RequireScopeOrAppPermission extension method should apply the correct metadata to the endpoint so that the scopes and roles are validated via ScopeOrAppPermissionAuthorizationHandler.

Metadata

Metadata

Assignees

No one assigned

    Labels

    P2bugSomething isn't workinggood first issueGood for newcomerswork-around-available

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions