JWT Authentication .Net core [Authorize] Attribute Ignored by Controller-CodePudding

I'm trying to implement JWT based authentication in my App that has an Angular 8 Frontend and .Net Core Backend. I have added

 app.UseAuthentication();
 app.UseAuthorization();

and

services.AddAuthentication(opt =>

in the startup class.I have decorated the controller method using the [Authorize] attribute. But when i try to hit the controller method without any tokens it allows entry into the controller method.

StartUp

public class Startup
    {
        public Startup(IConfiguration configuration)
        {
     
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            var jwtSettings = Configuration.GetSection("JwtSettings");
            services.AddAuthentication(opt =>
            {
                opt.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                opt.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
            }).AddJwtBearer(options =>
            {
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuer = true,
                    ValidateAudience = true,
                    ValidateLifetime = true,
                    ValidateIssuerSigningKey = true,
                    ValidIssuer = jwtSettings.GetSection("validIssuer").Value,
                    ValidAudience = jwtSettings.GetSection("validAudience").Value,
                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtSettings.GetSection("securityKey").Value))
                };
            });
            services.AddSignalR();

            services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);

            // In production, the Angular files will be served from this directory
            services.AddSpaStaticFiles(configuration =>
            {
                configuration.RootPath = "ClientApp/dist";
            });

            // requires using Microsoft.Extensions.Options
            services.Configure<DatabaseSettings>(
                Configuration.GetSection(nameof(DatabaseSettings)));

            services.AddSingleton<IDatabaseSettings>(sp =>
                sp.GetRequiredService<IOptions<DatabaseSettings>>().Value);

            services.AddSingleton<FileService>();

            services.AddSingleton<InternalReportService>();


            services.AddTransient<MailService>();
            services.AddMvc(option => option.EnableEndpointRouting = false);


        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            app.UseRouting();
            app.UseMvc();
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.UseExceptionHandler("/Error");
                app.UseHsts();
            }
            app.UseHttpsRedirection();
            app.UseStaticFiles();          
            app.UseAuthentication();
            app.UseAuthorization();             

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapHub<CoreHub>("/corehub");
                endpoints.MapControllerRoute("default", "{controller=Home}/{action=Index}");

            });

            app.UseSpa(spa =>
            {
                  
                spa.Options.SourcePath = "ClientApp";

                if (env.IsDevelopment())
                {
                    spa.UseProxyToSpaDevelopmentServer("http://localhost:4200");

                }
            });
        }
    }

Controller

[Authorize]
public async Task UploadFile(IFormFile file)
{
// Do Stuff
}

CodePudding user response：

According to Your authentication scheme, You should specify attribute this way: [Authorize(AuthenticationSchemes = "Bearer")] and this should work as You expect

CodePudding user response：

Well, you have configured the authentication part of your API, now you need to configure the authorization the same way...

You can configure like this:

 services.AddAuthorization(options =>
            {
                options.AddPolicy("Default", new AuthorizationPolicyBuilder()
                    .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
                    .RequireAuthenticatedUser()
                    .Build());

                options.AddPolicy("Admin", new AuthorizationPolicyBuilder()
                    .RequireRole("Admin")
                    .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
                    .RequireAuthenticatedUser()
                    .Build());
            });

Then you will be able to use the decorator as:

[Authorize("User")]
[Authorize("Admin")]

On both your controllers or specific endpoints.

If you wish to put this default policy on all your endpoints/controller and control only the "AllowAnonymous" part of if, you can do this:

 services.AddMvc()
            .AddMvcOptions(options =>
            {
                // Mark all endpoints with the default policy
                options.Filters.Add(new AuthorizeFilter("Default"));
            })

CodePudding user response：

I usually add DefaultSchema.

        services.AddAuthentication(opt =>
        {
            opt.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            opt.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
            opt.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        //...

and authorization.

        services.AddAuthorization(opts =>
        {
            opts.DefaultPolicy = new AuthorizationPolicyBuilder(opts.DefaultPolicy)
                  .RequireAuthenticatedUser()
        //...