authorize attribute on a mvc controller method doesnt override the class authorize attribute

[eccc-fp]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

calling the end point of test/mi while using a b2c token work, it shouldnt

Expected Behavior

the endpoint fred/mi while using a b2c token should return 401

Steps To Reproduce

test code, http file

### 200 --- ok
GET https://{{url}}/test/b2c
Authorization: Bearer {{token_b2c}}
### 401 --- ok
GET https://{{url}}/test/b2c
### 401 --- ok
GET https://{{url}}/test/b2c
Authorization: Bearer {{token_managed_identity}}

##########

### 200 --- wrong ###
GET https://{{url}}/test/mi
Authorization: Bearer {{token_b2c}}
### 401 --- ok
GET https://{{url}}/test/mi
### 200 --- ok
GET https://{{url}}/test/mi
Authorization: Bearer {{token_managed_identity}}

barebone program.cs

var builder = WebApplication.CreateBuilder(args);

// Azure B2C
builder.Services.AddAuthentication()
        .AddMicrosoftIdentityWebApi(
            jwtOptions =>
            {
                builder.Configuration.Bind(ConfigurationName.B2C_Profile, jwtOptions);
            },
            identityOptions => builder.Configuration.Bind(ConfigurationName.B2C_Profile, identityOptions),
            ConfigurationName.B2C_Profile
        );


// Azure Managed Identity
builder.Services.AddAuthentication()
.AddMicrosoftIdentityWebApi(
    jwtOptions =>
    {
        builder.Configuration.Bind(ConfigurationName.ManagedIdentity_Profile, jwtOptions);

        jwtOptions.Events = new JwtBearerEvents
        {
            OnTokenValidated = async context =>
            {
                var objectId = context.Principal.FindFirstValue(ClaimConstants.ObjectId);

                var allowClientIdApplication = builder.Configuration
                                                      .GetSection(ConfigurationName.ManagedIdentity_Profile)
                                                      .GetSection(ConfigurationName.ManagedIdentity_AllowClientIdApplication)
                                                      .Get<string[]>();

                if(!allowClientIdApplication.Contains(objectId))
                {
                    context.Fail("Unauthorized managed identity");
                }

                await Task.CompletedTask;
            },
        };
    },
    identityOptions => builder.Configuration.Bind(ConfigurationName.ManagedIdentity_Profile, identityOptions),
    ConfigurationName.ManagedIdentity_Profile
);

// Add services to the container.

builder.Services.AddControllers();  

var app = builder.Build();

app.UseHsts();
app.UseHttpsRedirection();

app.UseAuthentication();
app.UseAuthorization();

app.MapControllers();

app.Run();

test controller

[Authorize(AuthenticationSchemes = ConfigurationName.B2C_Profile)]
public class TestController : Controller
{
    [HttpGet]
    [Route("test/b2c")]
    public async Task<IActionResult> Ping1()
    {
        await Task.CompletedTask;

        return new OkObjectResult($"Pong from Ping test/b2c");
    }

    [HttpGet]
    [Route("test/mi")]
    [Authorize(AuthenticationSchemes = ConfigurationName.ManagedIdentity_Profile)]
    public async Task<IActionResult> Ping2()
    {
        await Task.CompletedTask;

        return new OkObjectResult($"Pong from Ping test/mi");
    }
}

Exceptions (if any)

No response

.NET Version

.net 8

Anything else?

No response

[eccc-fp]

chatgpt and claude ai both said that the b2c token should not work on test/mi