Search code examples
asp.net-mvcowinazure-active-directoryopenid-connect

AllowAnonymous is not working with azure ad authentication

I have a Asp.net MVC application in which I am using Azure AD authentication to authenticate the users. I want to allow users to access some of the api controller without login. I tried putting [AllowAnonymous] attribute on top of the controllers to skip these controllers from authentication, however its always redirecting to microsoft login page for credentials. Code snippet from Startup.cs:

public void ConfigureAuth(IAppBuilder app)
    {
        string clientId = GetConfigValue("ida_ClientId");
        string aadInstance = GetConfigValue("ida_AADInstance");
        string tenant = GetConfigValue("ida_Tenant");
        string domain = GetConfigValue("ida_Domain");
        string authority = GetConfigValue("ida_Authority");
        string postLogoutRedirectUri = GetConfigValue("ida_RedirectUri");

        bool devEnvironment = Convert.ToBoolean(GetConfigValue("DevEnvironment"));

        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        app.UseCookieAuthentication(new CookieAuthenticationOptions()
        {
            CookieHttpOnly = true,
            CookieSecure = devEnvironment ? CookieSecureOption.SameAsRequest : CookieSecureOption.Always,
        });

        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            ClientId = clientId,
            Authority = authority,
            PostLogoutRedirectUri = postLogoutRedirectUri,
            RedirectUri = postLogoutRedirectUri,
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                AuthenticationFailed = context =>
                {
                    context.HandleResponse();
                    context.Response.Redirect("/Error?message=" + context.Exception.Message);
                    return Task.FromResult(0);
                }
            }
        });
    }

    private string GetConfigValue(string key)
    {
        if (RoleEnvironment.IsAvailable)
        {
            return RoleEnvironment.GetConfigurationSettingValue(key);
        }
        else
        {
            return ConfigurationManager.AppSettings[key];
        }
    }
}

Please let me know if I am missing anything. Thanks in advance

Solution

  • This is expected behavior. Easy Auth is implemented as a native IIS module that runs in the same sandbox as your application. When enabled, every HTTP request dispatched to the IIS worker process must first pass through this module before your application code has a chance to react.

    The request will be dispatched to the web app unless it is authenticated and the AllowAnonymous will not work in this scenario. If you want to allow the anonymous request, you can implement the authentication using OWIN component instead of using the Easy Auth.

    Here is an example protect the MVC with OpenId component:

    active-directory-dotnet-webapp-openidconnect

    And more detail about Easy Auth, you can refer the CGillum's blog

    Architecture of Azure App Service Authentication / Authorization