Is order of multiple IAuthProviders significant in any way?

We have services protected by AuthenticateAttribute and we have multiple custom IAuthProviders registered. Each with its own override of IsAuthorized.

The AuthenticateAttribute triggers a call to IsAuthorized, but for which IAuthProvider?
Based on my experiments this is determined by the order in which they are registered. Is this correct?

For example, would the following would mean that MyCustomApiKeyAuthProvide.IsAuthorized will be triggered by the AuthenticateAttribute?

Plugins.Add(new AuthFeature(..., 
    new IAuthProvider[] {
        new MyCustomApiKeyAuthProvider(),
        new MyCustomCredentialsAuthProvider()

Kind Regards

IsAuthorized() should be called for all registered Auth Providers:

The one time when it is significant is when calling /auth/logout which calls the first registered AuthProvider Logout() API, but this is typically rarely overridden so just ends up calling the base AuthProvider Logout() implementation.

1 Like