AspNetCore.Docs icon indicating copy to clipboard operation
AspNetCore.Docs copied to clipboard

Published 20 hours ago verified publisher icon dotnet

Misleading statement about Authorize/AllowAnoynmous override

Open Blackclaws opened this issue 3 years ago • 8 comments

The document in its current form leads one to believe that combining Authorize with AllowAnonymous on a controller will lead to Authorize being ignored, this is only partially true.

What really happens is that the result of the authorization is ignored it is, however, still performed.

This behavior means that the authentication pipeline will indeed run and you will have access to the User Identity in the HttpContext if the user was authenticated.

This can be seen as an alternative to calling HttpContext.AuthenticateAsync() within the controller if you have an endpoint that switches on the authentication state anyway.

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

Blackclaws avatar Jul 06 '22 12:07 Blackclaws

It states You can also use the AllowAnonymous attribute to allow access by non-authenticated users to individual actions.

Rick-Anderson avatar Jul 06 '22 18:07 Rick-Anderson

Correct, but directly below that it states:

[!WARNING] [AllowAnonymous] bypasses all authorization statements. If you combine [AllowAnonymous] and any [Authorize] attribute, the [Authorize] attributes are ignored. For example if you apply [AllowAnonymous] at the controller level, any [Authorize] attributes on the same controller (or on any action within it) is ignored.

Which to me signals that Authorize attributes aren't even processed, which isn't true. Authentication middleware does run.

Blackclaws avatar Jul 06 '22 21:07 Blackclaws

Which to me signals that Authorize attributes aren't even processed, which isn't true. Authentication middleware does run.

It just states the authorization is bypassed. It doesn't state the middleware doesn't run.

Rick-Anderson avatar Jul 06 '22 22:07 Rick-Anderson

The thing is, middleware doesn't run if there is no [Authorize] attribute. So the presence of the [Authorize] attribute has an effect. Which the Warning posted above implies it doesn't have because [AllowAnonymous] would lead to [Authorize] being ignored.

Its just a detail that might be nice to add to the text as a clarification, saying:

If Authorize is present Authentication middleware runs, if AllowAnonymous is also present the result of the Authentication middleware is ignored and all requests are processed by the endpoint.

Blackclaws avatar Jul 06 '22 22:07 Blackclaws

@blowdart please review

Rick-Anderson avatar Jul 06 '22 23:07 Rick-Anderson

@HaoK Thoughts on how best to word this?

blowdart avatar Jul 07 '22 16:07 blowdart

@HaoK Thoughts on how best to word this?

Rick-Anderson avatar Sep 28 '22 22:09 Rick-Anderson

I would word this something to the effect of, "Authorization requirements specified by [Authorize] will be ignored, but any related authentication will still be done."

HaoK avatar Sep 29 '22 16:09 HaoK