i'm currently trying to set-up an identity provider using the MORYX Access Management framework. When I add the [Authorize] Attribute to a method in an API-controller it's ignored. Therefore I can call the API method without beeing authorized.
This is a snippet from my Startup.cs:
...
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
var conventionBuilder = endpoints.MapControllers();
endpoints.MapRazorPages();
});
if (env.IsDevelopment())
{
app.UseCors("CorsPolicy");
}
app.UseEndpoints(endpoints =>
{
var conventionBuilder = endpoints.MapControllers();
endpoints.MapRazorPages();
conventionBuilder.WithMetadata(new AllowAnonymousAttribute());
});
...
and my API-Controller method:
[HttpGet("system")]
[Authorize(Policy = "bananarama")]
public IActionResult GetServerSystemInformation()
{
return Ok(Manager.GetSystemInformation()));
}
Do you have any Idea what could be wrong?
Thank you in advance.
In your code you seem to have both the code snippets for using the AccessManagement and the snippets to allow anonymous access to the endpoints. If you want to have your endpoints protected (which is highly recommended for production environments) make sure to remove the last 5 lines from your example, i.e.
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
var conventionBuilder = endpoints.MapControllers();
endpoints.MapRazorPages();
});
if (env.IsDevelopment())
{
app.UseCors("CorsPolicy");
}
app.UseGtisDocumentation("/gtis-documentation");