Use IHttpMessageHandlerFactory For HTTP Communication

Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>
2026-02-13 04:13:42 +08:00 · 2025-04-23 11:25:43 -07:00
parent 90d831d9ef
commit c93be6d52b
12 changed files with 53 additions and 1 deletions
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@@ -1,4 +1,5 @@
-using System.Net;
+using System.Diagnostics;
+using System.Net;
 using System.Reflection;
 using System.Security.Claims;
 using System.Security.Cryptography.X509Certificates;
@@ -486,6 +487,8 @@ public static class ServiceCollectionExtensions
        Action<AuthorizationOptions> addAuthorization)
    {
        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+            // If we ever use the overload here with a different authentication scheme name then
+            // we need to change the AddOptions call below.
            .AddJwtBearer(options =>
            {
                options.MapInboundClaims = false;
@@ -505,6 +508,24 @@ public static class ServiceCollectionExtensions
                };
            });

+        // This is done through a Configure method instead of above so that we can avoid
+        // an early creation of services but still use a service that should centrally control how HttpMessageHandlers
+        // are created.
+        services.AddOptions<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme)
+            .Configure<IHttpMessageHandlerFactory>((options, httpMessageHandlerFactory) =>
+            {
+                // Since we don't manually set the Backchannel and the Post stage configuration shouldn't have
+                // ran yet we don't expect this option to be set. If it is set, it was likely set with a
+                // handler already and won't respect the BackchannelHttpHandler we are about to set.
+                Debug.Assert(options.Backchannel is null);
+
+                // Do a few debug checks to make sure we are customizing the expected options configured above.
+                Debug.Assert(!options.TokenValidationParameters.ValidateAudience);
+                Debug.Assert(options.TokenValidationParameters.ValidTypes.Single() == "at+jwt");
+                Debug.Assert(options.TokenValidationParameters.NameClaimType == ClaimTypes.Email);
+                options.BackchannelHttpHandler = httpMessageHandlerFactory.CreateHandler();
+            });
+
        if (addAuthorization != null)
        {
            services.AddAuthorization(config =>