[2.0] Adding ` [AllowAnonymous]` does not allow Anonymous requests
garaydev opened this issue · 1 comments
garaydev commented
Hello RESTier Team!
We have an API that uses a global filter to require authenticated requests. However, adding the [AllowAnonymous]
attribute on RESTier API methods does not allow anonymous users to invoke the method.
Assemblies affected
Microsoft.Restier.AspNetCore
- 1.0.0-rc8.20220714.1
Reproduce steps
- Add an AllowAnonymous attribute to any ApiBase class.
- Now attempt to access any base controller and it will require authentication.
Expected result
Adding AllowAnonymous would allow the global Index API surface to not require valid credentials and/or Claims to be present.
Actual result
The method still requires authentication.
robertmclaws commented
We will need to have a set of AuthorizationHandlers that check for the AllowAnonymous attribute on convention-based methods before executing them.