OData · bytefish · Feb 15, 2025
diff --git a/README.md b/README.md
@@ -5,38 +5,32 @@ to an OData service based on `Microsoft.AspNetCore.OData`.
 
 ## Usage
 
-In your `Startup.cs` file:
 
-```c#
-using Microsoft.AspNetCore.OData.Authorization
-```
-```c#
-public void ConfigureServices(IServiceCollection services)
-{
-    // odata authorization services
-    services.AddOData()
-        .AddODataAuthorization(options => {
-            // you need to register an authentication scheme/handler
-            // This works similar to services.AddAuthentication
-            options.ConfigureAuthentication("DefaultAuthScheme").AddScheme(/* ... */)
-        });
-
-    service.AddRouting();
-}
-```
-```c#
-public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+In your `Program.cs` file you'll need to add the Policy and Require it for your Endpoints:
+
+```csharp
+using Microsoft.AspNetCore.OData.Authorization;
+
+// ...
+
+builder.Services.AddAuthorization(options =>
 {
-    app.UseRouting();
-    // OData register authorization middleware
-    app.UseOdataAuthorization();
-
-    app.UseEndpoints(endpoints => {
-        endpoints.MapODataRoute("odata", "odata", GetEdmModel());
-    });
-}
+    options.AddODataAuthorizationPolicy();
+});
+
+// ...
+
+var app = builder.Build();
+
+// ...
+
+app
+    .MapControllers()
+    .RequireODataAuthorization();
 ```
 
+The Policy only applies to OData-enabled endpoints. Non-OData endpoints are ignored.
+
 ## Sample applications
 
 - [ODataAuthorizationSample](./samples/ODataAuthorizationSample): Simple API with permission restrictions and OData authorization middleware set up with a custom authentication handler

diff --git a/samples/CookieAuthenticationSample/Controllers/AuthController.cs b/samples/CookieAuthenticationSample/Controllers/AuthController.cs
@@ -3,6 +3,7 @@
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using ODataAuthorizationDemo.Models;
@@ -14,6 +15,7 @@ namespace ODataAuthorizationDemo.Controllers
     public class AuthController : ControllerBase
     {
         [HttpPost]
+        [AllowAnonymous]
         [Route("login")]
         public async Task<IActionResult> Login([FromBody] LoginData data)
         {

diff --git a/samples/CookieAuthenticationSample/Controllers/ProductsController.cs b/samples/CookieAuthenticationSample/Controllers/ProductsController.cs
@@ -1,6 +1,7 @@
 using System.Threading.Tasks;
-using Microsoft.AspNet.OData;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.OData.Deltas;
+using Microsoft.AspNetCore.OData.Routing.Controllers;
 using ODataAuthorizationDemo.Models;
 
 namespace ODataAuthorizationDemo.Controllers

diff --git a/samples/CookieAuthenticationSample/CookieAuthenticationSample.csproj b/samples/CookieAuthenticationSample/CookieAuthenticationSample.csproj
@@ -1,20 +1,17 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
-    <TargetFramework>netcoreapp3.1</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.OData" Version="7.4.1" />
-    <PackageReference Include="Microsoft.EntityFrameworkCore" Version="3.1.7" />
-    <PackageReference Include="Microsoft.EntityFrameworkCore.InMemory" Version="3.1.7" />
-    <PackageReference Include="Microsoft.OData.Core" Version="7.7.1" />
-    <PackageReference Include="Microsoft.OData.ModelBuilder" Version="1.0.3" />
+    <PackageReference Include="Microsoft.AspNetCore.OData" Version="9.0.0" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore" Version="8.0.8" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.InMemory" Version="8.0.8" />
   </ItemGroup>
 
   <ItemGroup>
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.OData.Authorization\Microsoft.AspNetCore.OData.Authorization.csproj" />
   </ItemGroup>
 
-
 </Project>
diff --git a/samples/CookieAuthenticationSample/CookieAuthenticationSample.http b/samples/CookieAuthenticationSample/CookieAuthenticationSample.http
@@ -0,0 +1,28 @@
+@CookieAuthenticationSample_HostAddress = https://localhost:5000
+
+## CookieAuthenticationSample
+
+### Authenticate and pass Scopes
+POST {{CookieAuthenticationSample_HostAddress }}/auth/login
+Content-Type: application/json
+{
+  "RequestedScopes": [ "Product.Create", "Product.Read" ]
+}
+
+### Create a Product
+POST {{CookieAuthenticationSample_HostAddress }}/odata/Products
+Content-Type: application/json
+{
+  "Id": 1,
+  "Name": "Product #1",
+  "Price": 10
+}
+
+### Get all Product
+GET {{CookieAuthenticationSample_HostAddress }}/odata/Products
+
+### Get Product By Key
+GET {{CookieAuthenticationSample_HostAddress }}/odata/Products(1)
+
+### Delete Product By Key
+DELETE {{CookieAuthenticationSample_HostAddress }}/odata/Products(1)
diff --git a/samples/CookieAuthenticationSample/Models/AppEdmModel.cs b/samples/CookieAuthenticationSample/Models/AppEdmModel.cs
@@ -8,6 +8,7 @@ public static class AppEdmModel
         public static IEdmModel GetModel()
         {
             var builder = new ODataConventionModelBuilder();
+
             var products = builder.EntitySet<Product>("Products");
 
             products.HasReadRestrictions()

diff --git a/samples/CookieAuthenticationSample/Models/Product.cs b/samples/CookieAuthenticationSample/Models/Product.cs
@@ -1,11 +1,11 @@
-using System.ComponentModel.DataAnnotations;
-
-namespace ODataAuthorizationDemo.Models
+namespace ODataAuthorizationDemo.Models
 {
     public class Product
     {
         public int Id { get; set; }
+
         public string Name { get; set; }
+
         public int Price { get; set; }
     }
 }
diff --git a/samples/CookieAuthenticationSample/Program.cs b/samples/CookieAuthenticationSample/Program.cs
@@ -1,26 +1,75 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.OData;
+using Microsoft.AspNetCore.OData.Authorization;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
+using ODataAuthorizationDemo.Models;
 using System.Threading.Tasks;
-using Microsoft.AspNetCore.Hosting;
-using Microsoft.Extensions.Configuration;
-using Microsoft.Extensions.Hosting;
-using Microsoft.Extensions.Logging;
 
-namespace ODataAuthorizationDemo
+var builder = WebApplication.CreateBuilder(args);
+
+builder.Services.AddDbContext<AppDbContext>(opt => opt.UseInMemoryDatabase("ODataAuthDemo"));
+
+builder.Services.AddCors(options =>
 {
-    public class Program
+    options.AddPolicy("AllowAll",
+        builder =>
+        {
+            builder
+                .AllowAnyOrigin()
+                .AllowAnyMethod()
+                .AllowAnyHeader();
+        });
+});
+
+// Add Cookie Authentication:
+builder.Services
+    .AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
+    .AddCookie((options) =>
     {
-        public static void Main(string[] args)
+        options.AccessDeniedPath = string.Empty;
+
+        options.Events.OnRedirectToAccessDenied = (context) =>
         {
-            CreateHostBuilder(args).Build().Run();
-        }
-
-        public static IHostBuilder CreateHostBuilder(string[] args) =>
-            Host.CreateDefaultBuilder(args)
-                .ConfigureWebHostDefaults(webBuilder =>
-                {
-                    webBuilder.UseStartup<Startup>();
-                });
-    }
-}
+            context.Response.StatusCode = StatusCodes.Status403Forbidden;
+
+            return Task.CompletedTask;
+        };
+
+        options.Events.OnRedirectToLogin = (context) =>
+        {
+            context.Response.StatusCode = StatusCodes.Status401Unauthorized;
+
+            return Task.CompletedTask;
+        };
+    });
+
+builder.Services.AddAuthorization(options =>
+{
+    options.AddODataAuthorizationPolicy();
+});
+
+builder.Services
+    .AddControllers()
+    // Add OData Routes:
+    .AddOData((opt) => opt
+        .AddRouteComponents("odata", AppEdmModel.GetModel())
+        .EnableQueryFeatures());
+
+var app = builder.Build();
+
+app.UseCors("AllowAll");
+
+app.UseRouting();
+
+
+app.UseAuthentication();
+app.UseAuthorization();
+
+app
+    .MapControllers()
+    .RequireODataAuthorization();
+
+app.Run();
diff --git a/samples/CookieAuthenticationSample/Properties/launchSettings.json b/samples/CookieAuthenticationSample/Properties/launchSettings.json
@@ -1,27 +1,11 @@
 {
   "$schema": "http://json.schemastore.org/launchsettings.json",
-  "iisSettings": {
-    "windowsAuthentication": false,
-    "anonymousAuthentication": true,
-    "iisExpress": {
-      "applicationUrl": "http://localhost:65163",
-      "sslPort": 0
-    }
-  },
   "profiles": {
-    "IIS Express": {
-      "commandName": "IISExpress",
-      "launchBrowser": true,
-      "launchUrl": "odata",
-      "environmentVariables": {
-        "ASPNETCORE_ENVIRONMENT": "Development"
-      }
-    },
-    "ODataAuthorizationDemo": {
+    "https": {
       "commandName": "Project",
-      "launchBrowser": true,
-      "launchUrl": "odata",
-      "applicationUrl": "http://localhost:5000",
+      "launchBrowser": false,
+      "launchUrl": "",
+      "applicationUrl": "https://localhost:5000",
       "environmentVariables": {
         "ASPNETCORE_ENVIRONMENT": "Development"
       }

diff --git a/samples/CookieAuthenticationSample/Startup.cs b/samples/CookieAuthenticationSample/Startup.cs