Bypass Authorize Attribute in .Net Core for Release Version

Question

Is there a way to "bypass" authorization in asp.net core? I noticed that the Authorize attribute no longer has a AuthorizeCore method with which you could use to make decisions on whether or not to proceed with auth.

Pre .net core you could do something like this:

protected override bool AuthorizeCore(HttpContextBase httpContext)
{
    // no auth in debug mode please
    #if DEBUG
       return true;
    #endif

    return base.AuthorizeCore(httpContext);
}

I hope I'm not missing something blatantly obvious but it would be nice to be able to skip the auth workflow in DEBUG if needed. I just haven't been able to find it for .net core

Answer 1

Just add an anonymous filter could do the trick, simple and easy.

   services.AddMvc(opts =>
   {
      opts.Filters.Add(new AllowAnonymousFilter());
   });

Ref: https://www.illucit.com/asp-net/asp-net-core-2-0-disable-authentication-development-environment/

Answer 2

As pointed out in the comments, you can create a base class for all your requirement handlers.

public abstract class RequirementHandlerBase<T> : AuthorizationHandler<T> where T : IAuthorizationRequirement
{
    protected sealed override Task HandleRequirementAsync(AuthorizationHandlerContext context, T requirement)
    {
#if DEBUG
        context.Succeed(requirement);

        return Task.FromResult(true);
#else
        return HandleAsync(context, requirement);
#endif
    }

    protected abstract Task HandleAsync(AuthorizationHandlerContext context, T requirement);
}

Then derive your requirement handlers from this base class.

public class AgeRequirementHandler : RequirementHandlerBase<AgeRequirement>
{
    protected override HandleAsync(AuthorizationHandlerContext context, AgeRequirement requirement)
    {
        ... 
    }
}

public class AgeRequirement : IRequrement 
{
    public int MinimumAge { get; set; }
}

And then just register it.

services.AddAuthorization(options =>
{
    options.AddPolicy("Over18",
                      policy => policy.Requirements.Add(new AgeRequirement { MinimumAge = 18 }));
});

Answer 3

For someone still needs to get the fake User object, the below solution can do the trick:

app.Use(async (context, next) =>
{
    context.User = new System.Security.Claims.ClaimsPrincipal(new ClaimsIdentity(new Claim[]
    {
        new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Guid.NewGuid().ToString()),
    }, "test"));
    await next.Invoke();
});

app.UseMvc();

The solution should just work if the DefaultScheme is "Cookies".

Answer 4

You can define your own handler that disables authorization:

public class DisableAuthorizationHandler<TRequirement> : AuthorizationHandler<TRequirement>
    where TRequirement : IAuthorizationRequirement
{
    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, TRequirement requirement)
    {
        context.Succeed(requirement);

        return Task.CompletedTask;
    }
}

and then register it:

    public void ConfigureServices(IServiceCollection services)
    {
    //...
#if DEBUG
    services.AddTransient<IAuthorizationHandler, DisableAuthorizationHandler<IAuthorizationRequirement>>();
#endif
    //...
    }