AllowAnonymous attribute is not working in .net core api 2.2. Please consider (.NetCore) and version(2.2) before suggesting duplicate or answer

Question

I am working in .net core api 2.2 where I am using authorization filter. I am just checking bearer token in authorization tag in header and if bearer token is already there then user action can be called. But some action I wanna exclude from authorization part. I am using AllAnonymous attribute on specific action but calling on same anonymous method the authorization filter is being called. The code of filter is given below :

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc.Filters;
    public class ApiAuthorizeFilter : AuthorizeAttribute, IAuthorizationFilter
        {
            public void OnAuthorization(AuthorizationFilterContext context)
            {
                string token = context.HttpContext.GetToken();
                if (string.IsNullOrEmpty(token))
                {
                    context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
                }
                else
                {
                    string realmId = context.HttpContext.GetRealm();
                    if (string.IsNullOrEmpty(realmId))
                    {
                        context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
                    }
                }
            }
        }

As per I checked the some solution per this is not getting resolved. Please share any solution regarding .net core API version 2.2 .

Does this answer your question? [AllowAnonymous not working with Custom AuthorizationAttribute](https://stackoverflow.com/questions/13595723/allowanonymous-not-working-with-custom-authorizationattribute) — Matt U, Dec 12 '19 at 17:13
@MattU, I have already added specific version with this issue. I have already checked the given url by you before submitting question. It is not related to framework and version. — Deepak, Dec 13 '19 at 07:36

Nan Yu · Accepted Answer · 2019-12-13T07:47:49.310

1

You can check the AllowAnonymous attribute inside OnAuthorization method :

// Allow Anonymous skips all authorization
if (context.Filters.Any(item => item is IAllowAnonymousFilter))
{
    return;
}

Base on your codes :

public class ApiAuthorizeFilter : AuthorizeAttribute, IAuthorizationFilter
{
    public void OnAuthorization(AuthorizationFilterContext context)
    {
        // Allow Anonymous skips all authorization
        if (context.Filters.Any(item => item is IAllowAnonymousFilter))
        {
            return;
        }
        string token = context.HttpContext.GetToken();
        if (string.IsNullOrEmpty(token))
        {
            context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
        }
        else
        {
            string realmId = context.HttpContext.GetRealm();
            if (string.IsNullOrEmpty(realmId))
            {
                context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
            }
        }
    }
}

edited Dec 13 '19 at 07:47

answered Dec 13 '19 at 06:50

Nan Yu

26,101
9
68
148

Thanks for suggestion but the above code is not working for those action which need to be authorized. It is removing authorization functionality from all actions. Please reply according to .net Core API v2.2 . Many answer found regarding v2.0 or MVC. But they are not working in V2.2. – Deepak Dec 13 '19 at 07:33
@Deepak "above code is not working for those action which need to be authorized." -->what do you mean by that ? Then why do you add [AllowAnonymous ]? – Nan Yu Dec 13 '19 at 07:36
I am authorizing actions by authorize filter but some action need to be anonymous. But when I am putting [AllAnonymous] filter on action then It is not working and authorization filter is being executed. Please suggest any answer regarding .net core api v2.2 – Deepak Dec 13 '19 at 07:39
`But when I am putting [AllAnonymous] filter on action then It is not working and authorization filter is being executed` yes , the filter executed , that's why you can put above codes in `OnAuthorization` to make the actions who has AllAnonymous attribute bypass the filter . And again , that codes work in .net core api v2.2 . Do you try the codes ? – Nan Yu Dec 13 '19 at 07:42
In my code I have "AuthorizationFilterContext" as my parameter. Please suggest from where I can get "HttpActionContext" as mentioned in above url. Please share code if you have. – Deepak Dec 13 '19 at 07:46
that still uses `AuthorizationFilterContext` , not `HttpActionContext` – Nan Yu Dec 13 '19 at 07:48
Its not working in web api 6 – Luqman Cheema Apr 08 '23 at 06:54

score 1 · Answer 2 · answered Aug 19 '21 at 13:39

When doing endpoint routing, MVC does not add AllowAnonymousFilters for AllowAnonymousAttributes that were discovered on controllers and actions. To maintain compat with 2.x, we'll check for the presence of IAllowAnonymous in endpoint metadata.

var endpoint = context.HttpContext.GetEndpoint();
if (endpoint?.Metadata?.GetMetadata<IAllowAnonymous>() != null)
{
   return true;
}

AllowAnonymous attribute is not working in .net core api 2.2. Please consider (.NetCore) and version(2.2) before suggesting duplicate or answer

2 Answers2