Search code examples
c#asp.net-coreauthenticationasp.net-web-apiasp.net-authorization

Anonymous endpoint redirects to login screen in secured ASP.Net Core web application

I have a ASP.Net (Blazor server side) 5 web application that was recently migrated to .Net 6.0. It has several private endpoints and we have a requirement to add a new public endpoint. If we browse to the new public endpoint, the system instead redirects us to the Azure AD B2C login screen. My understanding is that adding a [AllowAnonymous] attribute on the endpoint method should override the startup configuration.

What am I missing?

Startup.cs:

public virtual void ConfigureServices(IServiceCollection services)
    {
      services.AddHttpContextAccessor();
      services.AddHttpClient();
      services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
          .AddMicrosoftIdentityWebApp(configuration.GetSection("AzureAdB2C"));
      services.AddAuthorization();
      services.AddControllersWithViews();
      //Required as MVC must know whether it can rely on the authorization and CORS Middleware during initialization.
      services.AddMvc(options => options.EnableEndpointRouting = false)
          .SetCompatibilityVersion(CompatibilityVersion.Version_3_0);
      #endregion

      services.AddScoped<GlobalsService>();
      services.Configure<AzureADB2C>(configuration.GetSection("AzureADB2C"));
    }

public virtual void Configure(IApplicationBuilder app, IWebHostEnvironment env,
        DataProtectionKeysContext dataProtectionKeysContext)
    {
      if (env.IsDevelopment())
      {
..........................
      }
      else
      {
        app.Use((ctx, next) =>
        {
          return next();
        });
      }
      app.UseHttpsRedirection();
      app.UseCookiePolicy();      
      app.UseRouting();
      app.UseAuthentication();
      app.UseAuthorization();      
      app.UseMvcWithDefaultRoute();//Required as MVC must know whether it can rely on the authorization and CORS Middleware during initialization.
      app.UseEndpoints(endpoints =>
      {
        endpoints.MapControllerRoute(
                name: "default",
                pattern: "{controller=Home}/{action=Index}/{id?}");
        endpoints.MapControllers();
        endpoints.MapBlazorHub();
        endpoints.MapFallbackToPage("/_Host");
      });
    }
  }

public api endpoint accessed via http://localhost:44300/api/GeneratePDF/get:

    [ApiController]
      [Route("api/[controller]")]
      [Authorize]
      public partial class GeneratePdfController : ControllerBase
      {
        public GeneratePdfController()
        {
        }
        [HttpGet(Name = "Get")]
        [AllowAnonymous]
        public async Task<IActionResult> Get()
        {
return Ok();
    }
    }
Solution

  • you have a wrong route attribute, try this

             [AllowAnonymous]
        [HttpGet("~/api/GeneratePDF/get")]
         public async Task<IActionResult> Get()

    or change your controller route

          [Route("~/api/[controller]/[action]")]
      public partial class GeneratePdfController : ControllerBase