.NET Core 2.0 Authorization filter causes an internal error
An authorization filter will cause an internal error on a .NET Core 2.0 web application. Steps to reproduce the problem are very simple: create a new .NET Core 2.0 MVC project with "no authentication", put an authorization filter on a controller method, access the corresponding URL and a "500 Internal Server Error" will be returned.
[Authorize]
public IActionResult Contact()
{
ViewData["Message"] = "Your contact page.";
return View();
}
A similar code in .NET Core 1.1 will correctly return the response "401 Unauthorized".
I had a posted a similar question on the problem: Custom cookie authentication not working after migration from ASP.NET Core 1.1 MVC to 2.0 while I still hadn't understood that the problem is much wider than it was in my specific case.
The exception:
System.InvalidOperationException: No authenticationScheme was specified, and there was no DefaultChallengeScheme found.
at Microsoft.AspNetCore.Authentication.AuthenticationService.<ChallengeAsync>d__11.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.Mvc.ChallengeResult.<ExecuteResultAsync>d__14.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.<InvokeResultAsync>d__19.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.<InvokeFilterPipelineAsync>d__17.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.<InvokeAsync>d__15.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.Builder.RouterMiddleware.<Invoke>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.<Invoke>d__7.MoveNext()
HTTP 401 Unauthorized response should contain WWW-Authenticate header that defines authentication method for accessing the resource.
In your project created without authentication, there is no any default authentication scheme set. That's why authentication middleware can not build valid 401 response and chooses to send 500 error instead.
The fix is pretty simple. Add any authentication handler and set default authentication scheme, e.g.:
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer();
}
With such configuration unauthorized request will result to 401 response with correctly set WWW-Authenticate header:
- search is not working, SQL query doesn`t replace GridView data
- Converting GUID to Integer and Back
- Can the app permission/verification be bypassed for Dropbox API?
- asp.net c# scan application for code duplication - utility
- MudDataGrid not showing filter options in Blazor app despite Filterable set to true
- SMTP Email error with port 465
- ExecuteNonQuery() returns -1 always
- Can't open page in browser from Visual Studio
- Dependency injection approach for object used only in a single method
- IIS server error .Server Error in '/' Application
- Configure Docker to use a proxy server
- Read connection string from web.config
- If a folder does not exist, create it
- Azure Active Directory passing empty GUID for tenantId with default template
- Preventing overwriting values one from another of the same application but different windows/tabs with different ID as query string
- Update multiple rows in datatable without loop
- The named 'CommandType' does not exist in the current context
- Can you test whether a function is actually running Asynchronously?
- Service not available, closing transmission channel. The server response was: Cannot connect to SMTP server
- Should project.lock.json file be checked into source control? (ASP.NET Core 1.0)
- Downloaded audio file by "SSH" and returned by the "Service" but API cannot return to user
- How to manage user claims?
- How can I use Dependency Injection in an ASP.NET Core ActionFilterAttribute?
- How can I display a messagebox in ASP.NET?
- Sending IMs through an API
- Get url without querystring
- Blazor components and OnInitialized() inside another method
- Icon Doesn't Appear for MAUI Blazor App on Windows if Taskbar Icons are Combined
- inserting data into SQL DB from C# ASP.NET
- string.Format with variable names instead of numbers