AuthorizeFilter sets null Identity #2534

leastprivilege · 2015-05-09T18:57:56Z

I think you have a bug here:

Mvc/src/Microsoft.AspNet.Mvc.Core/Filters/AuthorizeFilter.cs

Lines 35 to 47 in 64e726d

    
           // Build a ClaimsPrincipal with the Policy's required authentication types 
        
           if (Policy.ActiveAuthenticationSchemes != null && Policy.ActiveAuthenticationSchemes.Any()) 
        
           { 
        
               var newPrincipal = new ClaimsPrincipal(); 
        
               foreach (var scheme in Policy.ActiveAuthenticationSchemes) 
        
               { 
        
                   var result = (await context.HttpContext.Authentication.AuthenticateAsync(scheme))?.Principal; 
        
                   if (result != null) 
        
                   { 
        
                       newPrincipal.AddIdentities(result.Identities); 
        
                   } 
        
               } 
        
               context.HttpContext.User = newPrincipal;

This will result in a null ClaimsPrincipal.Identity when the user is not authenticated.

You rather want to create an Identity that is not authenticated.

danroth27 · 2015-05-11T16:51:48Z

@blowdart Can you take a look at this?

blowdart · 2015-05-11T16:53:00Z

I already pinged @HaoK.

Fixes #2534

HaoK · 2015-05-13T23:40:23Z

1ea1cc4

vcsjones · 2015-05-26T12:22:39Z

Is the milestone for this still beta5?

danroth27 · 2015-05-26T15:56:05Z

Yup, the fix is in beta5.

leastprivilege mentioned this issue May 9, 2015

Authorization now includes code configured policy support. aspnet/Announcements#22

Closed

danroth27 added bug 1 - Ready labels May 11, 2015

danroth27 added this to the 6.0.0-beta5 milestone May 11, 2015

danroth27 removed this from the 6.0.0-beta5 milestone May 11, 2015

danroth27 removed 1 - Ready bug labels May 11, 2015

HaoK added a commit that referenced this issue May 12, 2015

AuthorizeFilter should always set a default identity

6460acb

Fixes #2534

HaoK mentioned this issue May 12, 2015

AuthorizeFilter should always set a default identity #2552

Closed

HaoK closed this as completed May 13, 2015

danroth27 added this to the 6.0.0-beta5 milestone May 26, 2015

danroth27 added bug 3 - Done labels May 26, 2015

danroth27 assigned HaoK May 26, 2015

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AuthorizeFilter sets null Identity #2534

AuthorizeFilter sets null Identity #2534

leastprivilege commented May 9, 2015

danroth27 commented May 11, 2015

blowdart commented May 11, 2015

HaoK commented May 13, 2015

vcsjones commented May 26, 2015

danroth27 commented May 26, 2015

AuthorizeFilter sets null Identity #2534

AuthorizeFilter sets null Identity #2534

Comments

leastprivilege commented May 9, 2015

danroth27 commented May 11, 2015

blowdart commented May 11, 2015

HaoK commented May 13, 2015

vcsjones commented May 26, 2015

danroth27 commented May 26, 2015