Add some notes accessing controller action descriptor from auth handlers (#17829)

pranavkm · scottaddie · web-flow · commit bb339ea998da · 2020-04-16T14:03:14.000-05:00
* Add some notes accessing controller action descriptor + auth handlers * Update policies.md * Edit pass on policy-based authz doc (#17833) Co-authored-by: Scott Addie <10702007+scottaddie@users.noreply.github.com>
diff --git a/aspnetcore/security/authorization/policies.md b/aspnetcore/security/authorization/policies.md
@@ -4,7 +4,7 @@ author: rick-anderson
 description: Learn how to create and use authorization policy handlers for enforcing authorization requirements in an ASP.NET Core app.
 ms.author: riande
 ms.custom: mvc
-ms.date: 10/05/2019
+ms.date: 04/15/2020
 uid: security/authorization/policies
 ---
 # Policy-based authorization in ASP.NET Core
@@ -426,9 +426,19 @@ For example, the previous `BadgeEntryHandler` could be rewritten as follows:
 
 ## Accessing MVC request context in handlers
 
-The `HandleRequirementAsync` method you implement in an authorization handler has two parameters: an `AuthorizationHandlerContext` and the `TRequirement` you are handling. Frameworks such as MVC or Jabbr are free to add any object to the `Resource` property on the `AuthorizationHandlerContext` to pass extra information.
+The `HandleRequirementAsync` method you implement in an authorization handler has two parameters: an `AuthorizationHandlerContext` and the `TRequirement` you are handling. Frameworks such as MVC or SignalR are free to add any object to the `Resource` property on the `AuthorizationHandlerContext` to pass extra information.
 
-For example, MVC passes an instance of [AuthorizationFilterContext](/dotnet/api/?term=AuthorizationFilterContext) in the `Resource` property. This property provides access to `HttpContext`, `RouteData`, and everything else provided by MVC and Razor Pages.
+When using endpoint routing, authorization is typically handled by the Authorization Middleware. In this case, the `Resource` property is an instance of <xref:Microsoft.AspNetCore.Http.Endpoint>. The endpoint can be used to probe the underlying the resource to which you're routing. For example:
+
+```csharp
+if (context.Resource is Endpoint endpoint)
+{
+   var actionDescriptor = endpoint.Metadata.GetMetadata<ControllerActionDescriptor>();
+   ...
+}
+```
+
+With traditional routing, or when authorization happens as part of MVC's authorization filter, the value of `Resource` is an <xref:Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext> instance. This property provides access to `HttpContext`, `RouteData`, and everything else provided by MVC and Razor Pages.
 
 The use of the `Resource` property is framework specific. Using information in the `Resource` property limits your authorization policies to particular frameworks. You should cast the `Resource` property using the `is` keyword, and then confirm the cast has succeeded to ensure your code doesn't crash with an `InvalidCastException` when run on other frameworks:
 
@@ -441,4 +451,4 @@ if (context.Resource is AuthorizationFilterContext mvcContext)
 }
 ```
 
-::: moniker-end
+::: moniker-end
