Authorize only controller allows anonymous access in .net core

Question

I have setup identity in a .net core web app, and marked a certain controller as authorize like this..

[Authorize(Roles = \"Partner\")]
public class ClaimsCo         


        

Answer 1

The calls to UseAuthentication and UseAuthorization must be placed between UseRouting and UseEndpoints:

app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(x =>
{
    x.MapControllerRoute("Default",
        "{controller}/{action}/{id?}",
        new { controller = "Home", action = "Index" });
});

When these calls are placed before UseRouting, the UseAuthorization call is somewhat of a no-op. It checks to see whether an endpoint has been selected, but this hasn't happened yet. The selection process is performed courtesy of the UseRouting call that runs next, which is too late.

Unfortunately, this means that the MVC endpoint runs as though authorisation succeeded, eventhough it wasn't performed at all. This is a known issue in the 3.0.0 release of ASP.NET Core, which has been fixed in the 3.0.1 release.