Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

AllowAnonymous being ignored in HandleAuthenticateAsync() method #15

Closed
haykpetros opened this issue Nov 30, 2020 · 3 comments
Closed

AllowAnonymous being ignored in HandleAuthenticateAsync() method #15

haykpetros opened this issue Nov 30, 2020 · 3 comments

Comments

@haykpetros
Copy link

Hi @mihirdilip,

While testing I noticed that [AllowAnonymouse] attribute is being ignored - meaning that regardless if the attribute is present or not authentication process is still being performed.

The problem is with HandleAuthenticateAsync() not taking into consideration the presence of the attribute. I thought about updating the code and doing a pull request, but because it is targeting .NET 4.6, .NET Core 3.0 / 3.1 & .NET Standard 2.0 not sure how to handle it properly for .NET 4.6 and .NET Standard 2.0.

In .NET Core 3.0 and above following needs to be added to line 42 in ApiKeyHandlerBase.cs class:

protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
{
    // skip authentication if endpoint has [AllowAnonymous] attribute
    var endpoint = Context.GetEndpoint();`
    if (endpoint?.Metadata?.GetMetadata<IAllowAnonymous>() != null)
        return AuthenticateResult.NoResult();

    var apiKey = string.Empty;`
    ...
}

I hope above will be helpful in addressing the issue and please feel free to contact me if I can be any help for you.

Thanks
@mihirdilip
Copy link
Owner

Hi @haykpetros,

Thanks for testing it out. Sorry I am not ignoring this issue, it is just that I did not had time to look into this. I will hopefully be able to have a look over weekend. Meanwhile, I have not seen any other authentication handler (eg. JwtBearerHandler) checking for AllowAnonymous attribute as it is assumed and should be handled by aspnetcore pipeline framework and the control should never reach this handler at all. Anyhow, I will investigate into this one soon.

Regards,
Mihir

@mihirdilip
Copy link
Owner

Hi @haykpetros,

Investigating this matter, it was concluded that AllowAnonymous (filter) attribute is meant to be used for Authorization and not Authentication as per asp-net-core framework implementation. However, as per your suggestion above, I have added an option IgnoreAuthenticationIfAllowAnonymous which can be enabled to ignore any authentication validation. Please check out the latest code here.

Also, release latest Nuget package with net5 support.

Regards,
Mihir

@mihirdilip
Copy link
Owner

Assuming it solves the problem, I am closing this issue.

@ghost ghost mentioned this issue Mar 2, 2021
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@haykpetros @mihirdilip