aspnet · HaoK · May 12, 2015 · May 13, 2015 · kirthik · May 13, 2015
diff --git a/src/Microsoft.AspNet.Mvc.Core/Filters/AuthorizeFilter.cs b/src/Microsoft.AspNet.Mvc.Core/Filters/AuthorizeFilter.cs
@@ -44,6 +44,11 @@ public virtual async Task OnAuthorizationAsync([NotNull] AuthorizationContext co
                         newPrincipal.AddIdentities(result.Identities);
                     }
                 }
+                // If all schemes failed authentication, provide a default identity anyways
+                if (newPrincipal.Identity == null)
+                {
+                    newPrincipal.AddIdentity(new ClaimsIdentity());
+                }
                 context.HttpContext.User = newPrincipal;
             }
 

diff --git a/test/Microsoft.AspNet.Mvc.Core.Test/Filters/AuthorizeFilterTest.cs b/test/Microsoft.AspNet.Mvc.Core.Test/Filters/AuthorizeFilterTest.cs
@@ -87,6 +87,20 @@ public async Task Invoke_EmptyClaimsShouldAuthorizeAuthenticatedUser()
             Assert.Null(authorizationContext.Result);
         }
 
+        [Fact]
+        public async Task Invoke_AuthSchemesFailShouldSetEmptyPrincipalOnContext()
+        {
+            // Arrange
+            var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder("Fails").RequireAuthenticatedUser().Build());
+            var authorizationContext = GetAuthorizationContext(services => services.AddAuthorization());
+
+            // Act
+            await authorizeFilter.OnAuthorizationAsync(authorizationContext);
+
+            // Assert
+            Assert.NotNull(authorizationContext.HttpContext.User?.Identity);
+        }
+
         [Fact]
         public async Task Invoke_SingleValidClaimShouldSucceed()
         {
@@ -303,6 +317,7 @@ private AuthorizationContext GetAuthorizationContext(Action<ServiceCollection> r
             httpContext.SetupGet(c => c.RequestServices).Returns(serviceProvider);
             auth.Setup(c => c.AuthenticateAsync("Bearer")).ReturnsAsync(new AuthenticationResult(bearerPrincipal, new AuthenticationProperties(), new AuthenticationDescription()));
             auth.Setup(c => c.AuthenticateAsync("Basic")).ReturnsAsync(new AuthenticationResult(basicPrincipal, new AuthenticationProperties(), new AuthenticationDescription()));
+            auth.Setup(c => c.AuthenticateAsync("Fails")).ReturnsAsync(null);
 
             // AuthorizationContext
             var actionContext = new ActionContext(