Quickstarts ASP.NET Core Web API v2.0: Authorization; config differences results in always authorized

[codermrrob]

When configuring middleware as well described in the quickstart tutorial:

configuring Mvc services in ConfigureServices(IServiceCollection services) with full Mvc with the line services.AddMvc() works fine.

If only Mvc core is required and configured with services.AddMvcCore() then this results in a situation where authorization is always granted to all endpoints.

The solution is straightforward and we also need to add in authorization at this point with:

services.AddMvcCore()
     .AddAuthorization();

and authorization will work correctly.

This can be a small addition to the quickstart and can save many hours of time, or worse.

[cocojoe]

@damieng does this add value, make sense to add?

[damieng]

Yes, I'm surprised .AddAuthorization wasn't in the quick-start already.

[cocojoe]

@damieng was this added? not clear if you were taking action. If so please close this issue when confirmed.

[damieng]

Where are you seeing AddMvcCore in the quickstarts? I can only see AddMvc which includes Authorization functionality and doesn't need it brought in separately.