Confusing logic of [Authorize(Policy = xxx)]

[LeaFrock]

Suppose I have 2 auth policies(P1 & P2) in the project, I also have a controller which has many actions and only one uses 'P2'.

The codes are like the following,

[Authorize(Policy = "P1")]
public class MyController
{
    // special action
    [HttpGet]
    [Authorize(Policy = "P2")]
    public IActionResult MyApi() { ... }

    // other actions
    // ...
}

I thought the attribute on method will overwrite the other one on controller. But I'm wrong.

It seems that the authz of MyApi turns out to be a combination of "P1" and "P2".

However, if I use [AllowAnonymous] on method MyApi, this attribute will overwrite "P1" of controller.

Is it by design? I think it shall be documented.

If someone can explain, I'll appreciate it.

[david-acker]

To my knowledge, these [Authorize] attributes are indeed designed to work additively when used this way. Although after a quick search, I wasn't able to find this explicitly mentioned in the docs. I'll enter a ticket in dotnet/AspNetCore.Docs to get some documentation added for this.

The [AllowAnonymous] attribute should then bypass any [Authorize] attributes:

Simple authorization in ASP.NET Core

[AllowAnonymous] bypasses authorization statements. If you combine [AllowAnonymous] and an [Authorize] attribute, the [Authorize] attributes are ignored. For example if you apply [AllowAnonymous] at the controller level:

• Any authorization requirements from [Authorize] attributes on the same controller or action methods on the controller are ignored.
• Authentication middleware is not short-circuited but doesn't need to succeed.

Edit: dotnet/AspNetCore.Docs issue for reference
Request: mention that [Authorize] attributes are additive #29802

[LeaFrock]

Thanks for your reply!

So the question changes, what should I do if I just want to overwrite P1 with P2? Shall you have any ideas?

For example, my controller has many actions using P1, and I need to add only few actions requiring P2.

[Authorize(Policy = "P1")]
public class MyController
{
    [HttpGet]
    public IActionResult MyAction1() { ... }
    // ....
    [HttpGet]
    public IActionResult MyAction30() { ... }
}

Now it seems that I have to remove the P1 attribute from Controller and write P1/P2 on every action for many times.

-[Authorize(Policy = "P1")]
public class MyController
{
    [HttpGet]
+ [Authorize(Policy = "P1")]
    public IActionResult MyAction1() { ... }
    //....
    [HttpGet]
+ [Authorize(Policy = "P1")]
    public IActionResult MyAction30() { ... }

    [HttpGet]
+ [Authorize(Policy = "P2")]
    public IActionResult MyAction31() { ... }
}

That could be a huge work.

[david-acker]

Hmm, apart from moving the P1 endpoints and P2 endpoints to separate controllers, I'm unfortunately not aware of any alternatives that would involve actually overriding P1 with P2 on the same controller.

[guardrex]

Hello @LeaFrock and @david-acker ... Note that the docs 🐈🐈🐈 don't track doc requests here. This item will be addressed per your, @david-acker, issue, but note that the best way to open issues for the docs team is to use the This page feedback button and form at the bottom of the English-US topic. Use of the This page feedback form adds metadata to the GitHub issue that cross-links the topic and automatically pings the author.