Search code examples
asp.net-corerazor-pagesasp.net-core-identity

How is access restricted in the ASP.NET Core web app template when using ASP.NET Core Identity

I have an ASP.NET Core 5 web app that's using ASP.NET Core Identity for authorization. I have scaffolded all of the Identity UI so that I can see how it works.

Within the scaffolded Razor pages in the "Identity" area, I can see several page model classes that are decorated with [AllowAnonymous], but I can't see any reference to anything that restricts access.

There must be something somewhere, though, because some pages in the template website are accessible when not signed in (even though they do not have [AllowAnonymous]), yet most pages in the scaffolded Identity area are not accessible unless signed-in.

How is this achieved? I expected to see a call to AuthorizeFolder (or AuthorizeAreaFolder) but I can't see one anywhere in the project.

I'd like to add some authorization rules of my own, but I'd like to know what the existing rules are before I start making changes.

Solution

  • To maintain full control of the Identity UI, run the Identity scaffolder and select Override all files.

    You might want to do this to have full control of the Identity UI.

    public void ConfigureServices(IServiceCollection services)
{
    services.Configure<CookiePolicyOptions>(options =>
    {
        options.CheckConsentNeeded = context => true;
        options.MinimumSameSitePolicy = SameSiteMode.None;
    });

    services.AddDbContext<ApplicationDbContext>(options =>
        options.UseSqlServer(
            Configuration.GetConnectionString("DefaultConnection")));

    services.AddIdentity<IdentityUser, IdentityRole>()
        // services.AddDefaultIdentity<IdentityUser>()
        .AddEntityFrameworkStores<ApplicationDbContext>()
        .AddDefaultTokenProviders();

    services.AddMvc()
        .AddRazorPagesOptions(options =>
        {
            options.Conventions.AuthorizeAreaFolder("Identity", "/Account/Manage");
            options.Conventions.AuthorizeAreaPage("Identity", "/Account/Logout");
        });

    services.ConfigureApplicationCookie(options =>
    {
        options.LoginPath = $"/Identity/Account/Login";
        options.LogoutPath = $"/Identity/Account/Logout";
        options.AccessDeniedPath = $"/Identity/Account/AccessDenied";
    });

    // using Microsoft.AspNetCore.Identity.UI.Services;
    services.AddSingleton<IEmailSender, EmailSender>();
}

    Reference: Create full Identity UI source

    Simple authorization in ASP.NET Core

    Razor Pages authorization conventions in ASP.NET Core