AllowAnonymousAttribute Should Set Security To Optional If AuthorizationAttribute also present

[EmperorArthur]

First Issue to this repo, so I hope I have included the needed information for my proposal. I am unsure of corporate policy for contributing to libraries like this, or I would send a PR.

Issue

The OpenAPI V3 spec supports optional authentication. Meaning that authentication can happen, but is not required. Unfortunately, there is no "out of the box" implementation, of this feature.

Related Issue

A custom class cannot be created and fed to SecurityRequirementsOperationFilter<T> if the endpoint has an "AllowAnonymousAttribute", since that stops all further processing.

Ideal Proposal

If a class has both and "AllowAnonymousAttribute":

• Add the security scheme as currently done.
• Add an empty security scheme.
• If includeUnauthorizedAndForbiddenResponses is true, only add the "Forbidden" response.

Alternate Proposal

Use a constructor parameter to determine if the "AllowAnonymousAttribute" check runs. Same as how includeUnauthorizedAndForbiddenResponses works now.

[mattfrear]

Hello
Sorry for the slow reply. I wouldn't want to change the existing behaviour, so your alternate proposal to supply a constructor parameter sounds like the correct approach. It should be a small change.