aspnet · HaoK · Mar 30, 2016 · May 23, 2016 · kevinchalet · Mar 30, 2016
diff --git a/src/Microsoft.AspNetCore.Mvc.Core/Authorization/AuthorizeFilter.cs b/src/Microsoft.AspNetCore.Mvc.Core/Authorization/AuthorizeFilter.cs
@@ -39,7 +39,7 @@ public AuthorizeFilter(AuthorizationPolicy policy)
         public AuthorizationPolicy Policy { get; }
 
         /// <inheritdoc />
-        public virtual async Task OnAuthorizationAsync(Filters.AuthorizationFilterContext context)
+        public virtual async Task OnAuthorizationAsync(AuthorizationFilterContext context)
         {
             if (context == null)
             {
@@ -76,9 +76,7 @@ public virtual async Task OnAuthorizationAsync(Filters.AuthorizationFilterContex
             var authService = httpContext.RequestServices.GetRequiredService<IAuthorizationService>();
 
             // Note: Default Anonymous User is new ClaimsPrincipal(new ClaimsIdentity())
-            if (httpContext.User == null ||
-                !httpContext.User.Identities.Any(i => i.IsAuthenticated) ||
-                !await authService.AuthorizeAsync(httpContext.User, context, Policy))
+            if (!await authService.AuthorizeAsync(httpContext.User, context, Policy))
             {
                 context.Result = new ChallengeResult(Policy.AuthenticationSchemes.ToArray());
             }

diff --git a/test/Microsoft.AspNetCore.Mvc.Core.Test/Authorization/AuthorizeFilterTest.cs b/test/Microsoft.AspNetCore.Mvc.Core.Test/Authorization/AuthorizeFilterTest.cs
@@ -26,6 +26,21 @@ public void InvalidUser()
             Assert.True(authorizationContext.HttpContext.User.Identities.Any(i => i.IsAuthenticated));
         }
 
+        [Fact]
+        public async Task AuthorizeFilterCanAuthorizeNonAuthenticatedUser()
+        {
+            // Arrange
+            var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAssertion(_ => true).Build());
+            var authorizationContext = GetAuthorizationContext(services => services.AddAuthorization(), anonymous: true);
+            authorizationContext.HttpContext.User = new ClaimsPrincipal();
+
+            // Act
+            await authorizeFilter.OnAuthorizationAsync(authorizationContext);
+
+            // Assert
+            Assert.Null(authorizationContext.Result);
+        }
+
         [Fact]
         public async Task Invoke_ValidClaimShouldNotFail()
         {