Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to protect all controllers by default with bearer token in ASP.NET Core?

Tags:

I have added a JWT middleware to my application:

app.UseJwtBearerAuthentication(options => { options.AutomaticAuthenticate = true;} )

No the funny thing is that it throws 500 exception (should be changed to 401 in later releases) for ALL actions, even those that are not protected at all (don't have authorize attribute). It seems to me that this is wrong but maybe I am doing something wrong myself.

Ideally what I want to achieve is that all actions are protected by default (there were filters for that in previous ASP.NET), and I will put Anonymous on those that I want public or perhaps Authorize("SomePolicy") if I want additional policies, but I want that without a token the API cannot be accessed at all. How do I do this in the new ASP.NET (I know I can inherit from some controller with this attribute, but I hope there is a better way of doing it)?

like image 906
Ilya Chernomordik Avatar asked Jan 25 '16 14:01

Ilya Chernomordik

People also ask

What is the default type of authentication for ASP.NET Core MVC?

AuthenticationScheme by default, though a different name could be provided when calling AddCookie ). In some cases, the call to AddAuthentication is automatically made by other extension methods. For example, when using ASP.NET Core Identity, AddAuthentication is called internally.

How does Authorize attribute work in ASP.NET Core?

Authorization in ASP.NET Core is controlled with AuthorizeAttribute and its various parameters. In its most basic form, applying the [Authorize] attribute to a controller, action, or Razor Page, limits access to that component to authenticated users. Now only authenticated users can access the Logout function.

How do I override an authorized attribute in .NET Core?

Right-click on the solution and add a new class. Enter the class name and click on Add. Next Inherite Attribute, IAuthorizationFilter to CustomAuthorization class which has overridden the OnAuthorization method.

Which attribute will ensure that all users can access a specific controller action?

One of the new features in ASP.NET MVC 4 is the AllowAnonymous Attribute that helps you secure an entire ASP.NET MVC 4 Website or Controller while providing a convenient means of allowing anonymous users access to certain controller actions, like the login and register Actions.

1 Answers

Starting with .Net 6 we can do this (if using minimal hosting model recommended by Microsoft):

app.MapControllers().RequireAuthorization();

Starting with .Net Core 3 we can do this:

app.UseEndpoints(endpoints => {     endpoints         .MapControllers()         .RequireAuthorization(); // This will set a default policy that says a user has to be authenticated });

It is possible to change default policy or add a new policy and use it as well.

P.S. Please note that even though the method name says "Authorization", by default it will only require that the user is Authenticated. It is possible to add more policies to extend the validation though.

like image 101
Ilya Chernomordik Avatar answered Nov 03 '22 15:11

Ilya Chernomordik
Sign in to Comment

Related questions

d3.js - How can I set the cursor to hand when mouseover these elements on SVG container?
Create C# .sln file with Visual Studio Code
How can I version bump all my dependencies?
React Navigation get stack header height
Buffer implementing io.WriterAt in go
Laravel File Storage delete all files in directory
How to downgrade tensorflow version in colab?
java.lang.IllegalArgumentException: Parameter 'directory' is not a directory in android
how to get text inside div in puppeteer
How do I translate 8bit characters into 7bit characters? (i.e. Ü to U)
How is SharePoint perceived in your company? [closed]
Reading and displaying data from a .txt file

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!