[Security] Add ability for authenticators to explain why they didn’t support a request #60538
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
a175f93 to
b0cdff7
Compare
OskarStark
reviewed
May 25, 2025
| @@ -11,6 +11,7 @@ CHANGELOG | |||
| * Add support for closures in `#[IsGranted]` | |||
| * Add `OAuth2TokenHandler` with OAuth2 Token Introspection support for `AccessTokenAuthenticator` | |||
| * Add discovery support to `OidcTokenHandler` and `OidcUserInfoTokenHandler` | |||
| * Add ability for authenticators to explain why they support the request or not | |||
There was a problem hiding this comment.
Suggested change
| * Add ability for authenticators to explain why they support the request or not | |
| * Add ability for authenticators to explain why they do not support the request |
If they support it, no reason is set, right?
There was a problem hiding this comment.
If they support it, no reason is set, right?
I was not sure if the userland could benefit from it, but since it is only displayed when the authenticator doesn’t support the request let’s not advertise it indeed.
12f9679 to
cc4097b
Compare
|
You may want to update your PR description to target 7.4, as well as create a new UPGRADE file to target 7.4 as well |
|
Yep I’ll do it while rebasing on the 7.4 branch when it’ll be created. |
cc4097b to
18bdbc1
Compare
…support a request
18bdbc1 to
fa94c26
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Inspired by #59771 this PR allows authenticators to advertise why they didn’t support a request by passing a new
RequestSupportargument to theirsupportsmethod. Calling itsaddReasonmethod will cause the profiler to display them:If this is accepted, this will pave the way for firewall listeners to expose informations about their calls to
supports(this is why theRequestSupportclass also holds$resultand$lazyproperties) andauthenticate, thus closing #36668.