Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Authorize] attribute denies anonymous users, but setting any properties (like roles) does not #60553

Open
1 task done
abebehailu opened this issue Feb 22, 2025 · 0 comments
Open
1 task done

[Authorize] attribute denies anonymous users, but setting any properties (like roles) does not #60553

abebehailu opened this issue Feb 22, 2025 · 0 comments
Labels
area-security

Comments

@abebehailu
Copy link

abebehailu commented Feb 22, 2025
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

Hi,

I have noticed a behavior that feels unexpected when setting the Authorize attribute on an endpoint. The reason seems to be the way the AuthorizationPolicy.cs is written.

Setting [Authorize] attribute leads to DenyAnonymousAuthorizationRequirement being applied (based on default policy) which denies anonymous users. While setting [Authorize(Roles = "a-role")] only authorizes the role and does not apply the requirement. Which is not obvious.

To test this behavior I have setup an authentication handler that succeeds by setting a user with the specific role in the http context but without an authentication type i.e. unauthenticated. I would expect the user to be denied in both the cases [Authorize] and [Authorize(Roles = "a-role")]. However, setting the attribute [Authorize] rejects the request with 403 while the other one passes through.

From the looks of it, in the AuthorizationPolicy.cs, if no properties are set on the authorize attribute it falls back to the default policy which applies the requirement.

Would it not make sense to combine the roles requirement with the default policy when using [Authorize(Roles = "a-role")] attribute, or maybe have a property to enable it? E.g. when creating policies you have the opportunity to call the RequireAuthenticatedUser to apply the deny anonymous user requirement, but the feature does not seem to exist on the attribute level. To achieve this you have to either add a policy and set it on the attribute explicitly, or call .RequireAuthroization on the AuthorizationEndpointConventionBuilderExtensions that basically adds the [Authorize] attribute.

Expected Behavior

Combine the roles requirement with the default policy when using [Authorize(Roles = "a-role")] attribute or add a attribute level property to enable it when setting the attribute on an endpoint e.g. [Authorize(RequireAuthentication=true, Roles="a-role")].

Steps To Reproduce

  • Add an authentication handler that sets a user without an authentication type and with role claim "a-role" and make it always succeed.
  • Add the [Authorize] attribute on an endpoint and make a request. You will get 403.
  • Add the attribute [Authorize(Roles = "a-role")] on an endpoint and make a request. You will pass through.

Exceptions (if any)

No response

.NET Version

9.0.101

Anything else?

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@abebehailu