Authorize attribute with AllowAnonymous attribute always anonymous.

[johnwc]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

Having a method as such, the User property of the controller is never assigned the user from the bearer token from the header when AllowAnonymous is added. Docs states that if you add AllowAnonymous along with Authorize, it will allow anonymous when no authentication is present, and authenticate and set User property of controller when authentication is present

[AllowAnonymous]
[Authorize]
[HttpGet("test1", Name = "Test1")]
public async Task<ActionResult<TestResponse>> Test()
{
     this.User <-- always no claims
     ...
}

Expected Behavior

If auth header is present it should verify it and set User property of controller.

Steps To Reproduce

StartUp

      ...
      builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
          .AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));
      ...
      var app = builder.Build();
      if (app.Environment.IsProduction())
        app.UsePathBase("/api/v2");

      if (app.Environment.IsDevelopment())
      {
        app.UseServerTiming();
        app.UseSwagger();
        app.UseSwaggerUI();
      }

      app.UseForwardedHeaders(new ForwardedHeadersOptions
      {
        ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedHost
      });

      app.UseHttpsRedirection();
      app.UseRouting();
      app.UseCors();
      app.UseAuthentication();
      app.UseAuthorization();
      app.MapControllers();
      app.Run();

Controller

  [Route("account")]
  [ApiController]
  [Authorize]
  [Produces("application/json")]
  public class AccountController : BaseController
  {
  
    [AllowAnonymous]
    [Authorize] <-- tried adding it here as well in case it needed it here
    [HttpGet("test1", Name = "Test1")]
    public async Task<ActionResult<TestResponse>> Test()
    {
      this.User <-- always no claims
      ...
    }
  }

Exceptions (if any)

No response

.NET Version

6.0

Anything else?

No response

[davidfowl]

Where is the rest of your code? Where is the middleware pipeline and setup?

[johnwc]

Using the out of the box standard Microsoft identity code to add it to the startup, literally single line of code with b2c client settings in app settings. I'm out to dinner at the moment, if you need exact copy of code I can share it when I get back home in about 30 minutes.

Am I correct that my expected behavior is correct?

[johnwc]

@davidfowl I updated the original question with more code

[blowdart]

[Authorize] checks if the resource is marked by [AllowAnonymous] and skips authorization in this case.

Where do the docs say otherwise? If I look at the main authorization doc page it has a nice warning,

[AllowAnonymous] bypasses all authorization statements. If you combine [AllowAnonymous] and any [Authorize] attribute, the [Authorize] attributes are ignored. For example if you apply [AllowAnonymous] at the controller level, any [Authorize] attributes on the same controller (or on any action within it) is ignored.

@Tratcher / @HaoK this is correct isn't it?

[davidfowl]

The user should still be available for authenticated users.

[johnwc]

@blowdart authorized and authenticated are two different things. In this case, we don't need anyone to be "authorized" to use this api method, but they should be able to authenticate if they do have valid credentials. The api method has different flows depending if they are authenticated.

@davidfowl any idea where I need to look to find out why it's not working?

[johnwc]

@blowdart Here is where it states it. Not in the docs maybe, but documented within the code itself.
AuthorizationMiddleware.cs

[johnwc]

@davidfowl I was able to get this to work today. I had to add a default scheme policy or assign a policy to the Authorize attribute. Just adding schemes was not enough.

[davidfowl]

@johnwc do you want to contribute to the docs to help the next person that runs into this 😃 ?

[johnwc]

@davidfowl sure, it may take me a week or two though to find some time. What page exactly do you think it should be updated on, and would example config be ok?

[mkArtakMSFT]

Reopening as we're reconsidering the defaults in this space.