BrennanConroy
commented
1 month ago This is by design. AuthN still runs so the HttpContext.User property can be populated even if AuthZ will ignore auth requirements due to AllowAnonymous. This is so user code can still look at the User property if it wants to do its own AuthZ or for any other reasons.
Is there an existing issue for this?
Describe the bug
app.MapHealthChecks("/Ramesh/Suresh").AllowAnonymous();
The app I am working on has a endpoint which should statically return the "Health" in the response so UI aware of backend is running fine. The expectation is Health endpoint is called without passing token.
I have added an authentication scheme in the application. The problem is this authentication handler code is called when someone called the health or swagger endpoint.
I am expecting it to allow these endpoints without authentication. The response come from health endpoint is "Healthy", This means authentication code is not able to stopped it and in logs it's written as "Can't authenticate" but in actual the user is able to see the response.
So, Authentication is not working, and user got response. My expectation is when allowanonymous is called then it should not go to Authentication code.
Expected Behavior
AllowAnonymous() doesn't make this code to bypass authentication code. Even without it it's goes to Authentication code and auth code is not able to stopped it. Response is coming even there is nothing in header. Expectation is either it's work this way or that way.
AllowAnyonymous() should be able to bypass. If default behavior is authenticate the request then it should failed rather then give response even without token in header.
Steps To Reproduce
use both Authentication and MapHealthCheck()
Exceptions (if any)
NA
.NET Version
8.0.206
Anything else?
NA