OData/RESTier

[2.0] Adding ` [AllowAnonymous]` does not allow Anonymous requests

garaydev opened this issue · 1 comments

Hello RESTier Team!

We have an API that uses a global filter to require authenticated requests. However, adding the [AllowAnonymous] attribute on RESTier API methods does not allow anonymous users to invoke the method.

Assemblies affected

Microsoft.Restier.AspNetCore

  • 1.0.0-rc8.20220714.1

Reproduce steps

  1. Add an AllowAnonymous attribute to any ApiBase class.
  2. Now attempt to access any base controller and it will require authentication.

Expected result

Adding AllowAnonymous would allow the global Index API surface to not require valid credentials and/or Claims to be present.

Actual result

The method still requires authentication.

We will need to have a set of AuthorizationHandlers that check for the AllowAnonymous attribute on convention-based methods before executing them.