AuthorizeFilter prevents unauthenticated requests to be handled by IAuthorizationService #4287
Comments
|
By design. Why go into policies when you don't have an identity to evaluate anyway? |
Bad design then. The authorization service is already responsible of determining whether unauthenticated requests (= no principal/identity) are acceptable or not depending on the specific policy that applies, so there's no reason to have a duplicated logic in MVC. What's the whole point of |
|
For example you can have a requirement to grant or deny access by IP address only or you may grant guest users access in restricted hours. Conceptually, in real world, there are situations that we are authorized to do things without being identified. |
|
For your IP example you're now attempt to authorize on something that isn't an identity at all. So you either write an authentication middleware which builds an identity from an IP address, or you go the filter route. |
|
This authentication vs. authorization has always been controversial. I've seen systems using IP, MAC address or computer name to identify and authorize group of users (e.g. Kiosk devices). Considering the modular nature of AspNetCore, it does not make sense if MVC handles security, since the security project can take care of it very well. In fact unauthenticated users have their own identity which is Anonymous. Lets have security project take care of them. The following code block functionality in the // Allow Anonymous skips all authorization
if (context.Filters.Any(item => item is IAllowAnonymousFilter))
{
return;
} |
Still no answer to this crucial question, it's a bit worrying IMHO. |
|
[Authorize] with nothing else specified uses the default policy of requiring any authenticated user. So this requirement and method exists mostly for that scenario |
|
But isn't the authorization filter always rejecting unauthenticated requests without invoking the authorization service no matter if you specify a policy? |
|
Yeah the authorize filter probably shouldn't do that explicit check and leave that to the Authorization service. This seems like a legit bug to fix. |
|
It would be a regression, yes. However you could address that by making the plain [Authorize] always just check for authenticated users. As we didn't have a policy in previous versions it's arguable we can make the behaviour there what we like. |
|
@blowdart well, AFAIK, that's how it works with the current bits: when |
|
Empty authorize already requires authenticated users by default I believe. |
|
Yup, I am just emphasising that can't change. |
|
I think the default behavior is to require authentication, so |
|
Right, just plain |
|
So is this bug ok to close, then? |
|
Not really, the zealous check in the MVC authorization filter still needs to be removed.
|
|
Yeah my PR removes the preemptive check that blocks the AuthZ service from even being checked since unauthenticated requests never make it out of the filter |
|
Yeah its a pretty straight forward change, so just need a sign off and I can merge |
|
I am confused by Pinpoint's point on #4385 |
|
@blowdart what's confusing... my remark about the fact MVC always uses |
|
Oh that's what you were talking about? Hah, no, I actually like that. Devs don't need to think about what the right status code is. |
|
Maybe, but it's both nonsensical and incorrect:
|
|
Nothing stops you from return a 401 or a 403 though. Is the name the problem? |
|
And BTW, users wouldn't have to think about the right status code if the authorization stack was better designed. |
Well, try it: calling |
|
That results in infinite auth loops. |
Current implementation of
AuthorizeFilteronly callsIAuthorizationService.AuthorizeAsyncwhen request is authenticated.https://github.com/aspnet/Mvc/blob/dev/src/Microsoft.AspNetCore.Mvc.Core/Internal/AuthorizeFilter.cs#L78
I think
DenyAnonymousAuthorizationRequirementshould be used instead, otherwise there is no way to use authorization requirements without being authenticated.The text was updated successfully, but these errors were encountered: