ASP0025: Use AddAuthorizationBuilder to register authorization services and construct policies.

Cause

The use of xref:Microsoft.Extensions.DependencyInjection.PolicyServiceCollectionExtensions.AddAuthorization%2A can be converted to the new xref:Microsoft.Extensions.DependencyInjection.PolicyServiceCollectionExtensions.AddAuthorizationBuilder%2A.

Rule description

Use AddAuthorizationBuilder to register authorization services and construct policies.

How to fix violations

To fix a violation of this rule, replace the usage of AddAuthorization with AddAuthorizationBuilder.

The code fix converts any usage of the setters for the following properties of xref:Microsoft.AspNetCore.Authorization.AuthorizationOptions:

• xref:Microsoft.AspNetCore.Authorization.AuthorizationOptions.DefaultPolicy
• xref:Microsoft.AspNetCore.Authorization.AuthorizationOptions.FallbackPolicy
• xref:Microsoft.AspNetCore.Authorization.AuthorizationOptions.InvokeHandlersAfterFailure

These setter usages are converted to equivalent method calls on xref:Microsoft.AspNetCore.Authorization.AuthorizationBuilder:

• xref:Microsoft.AspNetCore.Authorization.AuthorizationBuilder.SetDefaultPolicy%2A
• xref:Microsoft.AspNetCore.Authorization.AuthorizationBuilder.SetFallbackPolicy%2A
• xref:Microsoft.AspNetCore.Authorization.AuthorizationBuilder.SetInvokeHandlersAfterFailure%2A

No diagnostic is reported when the configure action passed to AddAuthorization uses any of the following members of AuthorizationOptions:

• The xref:Microsoft.AspNetCore.Authorization.AuthorizationOptions.GetPolicy(System.String) method
• The xref:Microsoft.AspNetCore.Authorization.AuthorizationOptions.DefaultPolicy getter
• The xref:Microsoft.AspNetCore.Authorization.AuthorizationOptions.FallbackPolicy getter
• The xref:Microsoft.AspNetCore.Authorization.AuthorizationOptions.InvokeHandlersAfterFailure getter

AuthorizationBuilder doesn't have equivalents for these members of AuthorizationOptions, so they can't be converted.

No diagnostic is reported if the configure action passed to AddAuthorization contains operations unrelated to AuthorizationOptions. The code fix would not be able to automatically map unrelated operations to the fluent API of AddAuthorizationBuilder.

The following example shows code that triggers this diagnostic:

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("AtLeast21", policy =>
        policy.Requirements.Add(new MinimumAgeRequirement(21)));
});

var app = builder.Build();

app.UseAuthorization();

app.Run();

The following example shows the result of applying the code fix:

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddAuthorizationBuilder()
  .AddPolicy("AtLeast21", policy =>
  {
        policy.Requirements.Add(new MinimumAgeRequirement(21));
  });

var app = builder.Build();

app.UseAuthorization();

app.Run();

When to suppress warnings

The severity level of this diagnostic is Information. Suppress warnings if you don't want to use the new syntax.