Open slowjams opened 1 week ago
The requirement DenyAnonymousAuthorizationRequirement
is missing from your policy. You can call RequireAuthenticatedUser
to add it:
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("AtLeast18",
policyBuider =>
{
policyBuider.RequireAuthenticatedUser();
policyBuider.Requirements.Add(new MinimumAgeRequirement(18));
});
});
Thanks for contacting us.
Did you get chance to validate @joegoldman2 's suggestion above? That seems reasonable.
This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment. If it is closed, feel free to comment when you are able to provide the additional information and we will re-investigate.
See our Issue Management Policies for more information.
Is there an existing issue for this?
Describe the bug
https://source.dot.net/#Microsoft.AspNetCore.Authorization.Policy/PolicyEvaluator.cs,99
I believe the logic is wrong here, so if authorization pass while authentication doesn't pass, the response is 200 not 401.
e.g an endpoint accessed by an unauthenticated user below
despite of the mistake made by the junior developer, and I would still expect the response to be 401 rather than 200
Expected Behavior
he response to be 401 rather than 200
Steps To Reproduce
No response
Exceptions (if any)
No response
.NET Version
.NET 8
Anything else?
No response