Skip to content

Forward the current access token for authenticated client requests#25740

Merged
EngincanV merged 2 commits into
rel-10.5from
maliming/forward-token-for-authenticated-client
Jul 3, 2026
Merged

Forward the current access token for authenticated client requests#25740
EngincanV merged 2 commits into
rel-10.5from
maliming/forward-token-for-authenticated-client

Conversation

@maliming

@maliming maliming commented Jul 3, 2026

Copy link
Copy Markdown
Member

HttpContextAbpAccessTokenProvider now forwards the incoming access token whenever the request is authenticated (user or client), instead of only when there is a user, so client_credentials requests no longer fall back to IdentityClients.

Copilot AI review requested due to automatic review settings July 3, 2026 02:12
@maliming maliming added this to the 10.5-final milestone Jul 3, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates HttpContextAbpAccessTokenProvider to forward the incoming access token for any authenticated request (including client_credentials flows), instead of only forwarding when an ABP “current user” is authenticated—preventing authenticated client requests from falling back to IdentityClients.

Changes:

  • Switch access-token forwarding eligibility check from ICurrentUser.IsAuthenticated to HttpContext.User.Identity.IsAuthenticated.
  • Add integration tests covering authenticated user, authenticated client (no user), and anonymous request scenarios.
  • Introduce a small test authentication handler that exposes an access_token via HttpContext.GetTokenAsync.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
framework/src/Volo.Abp.Http.Client.IdentityModel.Web/Volo/Abp/Http/Client/IdentityModel/Web/HttpContextAbpAccessTokenProvider.cs Forward token based on HttpContext.User authentication state rather than ICurrentUser.
framework/test/Volo.Abp.Http.Client.IdentityModel.Web.Tests/Volo/Abp/Http/Client/IdentityModel/Web/HttpContextAbpAccessTokenProvider_Tests.cs Adds coverage for user-authenticated, client-authenticated, and anonymous forwarding behavior.
framework/test/Volo.Abp.Http.Client.IdentityModel.Web.Tests/Volo/Abp/Http/Client/IdentityModel/Web/TestTokenAuthHandler.cs Adds a test auth handler to supply an access_token via authentication properties.

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@codecov

codecov Bot commented Jul 3, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 0% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 49.38%. Comparing base (495e7a2) to head (ee99696).
⚠️ Report is 14 commits behind head on rel-10.5.

Files with missing lines Patch % Lines
...tityModel/Web/HttpContextAbpAccessTokenProvider.cs 0.00% 0 Missing and 1 partial ⚠️
Additional details and impacted files
@@             Coverage Diff              @@
##           rel-10.5   #25740      +/-   ##
============================================
+ Coverage     49.34%   49.38%   +0.04%     
============================================
  Files          3687     3687              
  Lines        124430   124430              
  Branches       9506     9506              
============================================
+ Hits          61396    61449      +53     
+ Misses        61209    61137      -72     
- Partials       1825     1844      +19     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@maliming maliming requested a review from EngincanV July 3, 2026 03:07
@EngincanV EngincanV merged commit 24910c2 into rel-10.5 Jul 3, 2026
3 of 4 checks passed
@EngincanV EngincanV deleted the maliming/forward-token-for-authenticated-client branch July 3, 2026 05:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants