I used Authorize attribute on Action Method ,do I need to check that User Is Authenticated or not?

Question

Below code is my Action Method in Asp.Net Core 3.

[HttpGet]
[Authorize]
public async Task<IActionResult> Info()
{
    if (!User.Identity.IsAuthenticated) /// Is this need?
    {
         return BadRequest("Un Authorized Access");
    }
 }

I used Authorize attribute on method.Do I need to check Authentiaciton of user again with User.Identity.IsAuthenticated ?

Rüdiger · Accepted Answer · 2019-11-28T14:02:51.183

1

You should take a look into the difference between "Authentication versus Authorization" see https://stackoverflow.com/a/6556548/2219991

Your posted code won't be enough since there is a case when a user fulfills the authorization requirement, even if not authenticated.

My Answer is wrong, please take a look at Joe's comment and pointing out https://github.com/aspnet/AspNetWebStack/blob/master/src/System.Web.Http/AuthorizeAttribute.cs the [Authorize] attribute also checks the authentication

edited Nov 28 '19 at 14:02

answered Nov 28 '19 at 13:12

Rüdiger

1,674
1
20
28

2

"... there is a case when a user fulfills the authorization requirement, even if not authenticated" - do you have an example? As far as I can see from the source code, `AuthorizeAttribute.IsAuthorized` returns false if `User.Identity.IsAuthenticated` is not `true`: https://github.com/aspnet/AspNetWebStack/blob/master/src/System.Web.Http/AuthorizeAttribute.cs – Joe Nov 28 '19 at 13:26
You are correct on authentication follows authorization even if I try to think of an example where I'd use an anonymous user e.g. authorization based on referer URL, I'd have to create an authenticated claim or write a custom authorization provider overriding `IsAuthorized` - I'll correct my answer – Rüdiger Nov 28 '19 at 13:58

I used Authorize attribute on Action Method ,do I need to check that User Is Authenticated or not?

1 Answers1