Forward the current access token for authenticated client requests#25740
Merged
EngincanV merged 2 commits intoJul 3, 2026
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates HttpContextAbpAccessTokenProvider to forward the incoming access token for any authenticated request (including client_credentials flows), instead of only forwarding when an ABP “current user” is authenticated—preventing authenticated client requests from falling back to IdentityClients.
Changes:
- Switch access-token forwarding eligibility check from
ICurrentUser.IsAuthenticatedtoHttpContext.User.Identity.IsAuthenticated. - Add integration tests covering authenticated user, authenticated client (no user), and anonymous request scenarios.
- Introduce a small test authentication handler that exposes an
access_tokenviaHttpContext.GetTokenAsync.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| framework/src/Volo.Abp.Http.Client.IdentityModel.Web/Volo/Abp/Http/Client/IdentityModel/Web/HttpContextAbpAccessTokenProvider.cs | Forward token based on HttpContext.User authentication state rather than ICurrentUser. |
| framework/test/Volo.Abp.Http.Client.IdentityModel.Web.Tests/Volo/Abp/Http/Client/IdentityModel/Web/HttpContextAbpAccessTokenProvider_Tests.cs | Adds coverage for user-authenticated, client-authenticated, and anonymous forwarding behavior. |
| framework/test/Volo.Abp.Http.Client.IdentityModel.Web.Tests/Volo/Abp/Http/Client/IdentityModel/Web/TestTokenAuthHandler.cs | Adds a test auth handler to supply an access_token via authentication properties. |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## rel-10.5 #25740 +/- ##
============================================
+ Coverage 49.34% 49.38% +0.04%
============================================
Files 3687 3687
Lines 124430 124430
Branches 9506 9506
============================================
+ Hits 61396 61449 +53
+ Misses 61209 61137 -72
- Partials 1825 1844 +19 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
EngincanV
approved these changes
Jul 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
HttpContextAbpAccessTokenProvidernow forwards the incoming access token whenever the request is authenticated (user or client), instead of only when there is a user, soclient_credentialsrequests no longer fall back toIdentityClients.