Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorize everywhere solution breaks OIDC #34543

Closed
jchoca opened this issue Jan 23, 2025 · 3 comments · Fixed by #34555
Closed

Authorize everywhere solution breaks OIDC #34543

jchoca opened this issue Jan 23, 2025 · 3 comments · Fixed by #34555
Assignees
@guardrex
Labels
aspnet-core/svc doc-enhancement Pri1 security/subsvc Source - Docs.ms Docs Customer feedback via GitHub Issue

Comments

@jchoca
Copy link

jchoca commented Jan 23, 2025
edited by dotnetrepoman bot
Loading

Description

I could be missing something, but it seems like this solution doesn't work for the MS OpenIdConnect libraries for ASP.NET:

var requireAuthPolicy = new AuthorizationPolicyBuilder()
    .RequireAuthenticatedUser()
    .Build();

builder.Services.AddAuthorizationBuilder()
    .SetFallbackPolicy(requireAuthPolicy);

When I used this, it seemed to cause the built-in OIDC endpoint(s) to require authorization, causing an infinite loop.

Page URL

https://learn.microsoft.com/en-us/aspnet/core/security/authentication/configure-oidc-web-authentication?view=aspnetcore-9.0

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/security/authentication/configure-oidc-web-authentication.md

Document ID

5d97b8bb-6505-9268-efbc-33fc2c02f4d8

Article author

@damienbod

Metadata

  • ID: 5d97b8bb-6505-9268-efbc-33fc2c02f4d8
  • Service: aspnet-core
  • Sub-service: security

Related Issues
@dotnetrepoman dotnetrepoman bot added aspnet-core/svc security/subsvc Source - Docs.ms Docs Customer feedback via GitHub Issue labels Jan 23, 2025
@guardrex
Copy link
Collaborator

guardrex commented Jan 23, 2025
edited
Loading

Hello @jchoca ... Stand by for @damienbod to arrive and assist further. As you suggest, you can start with that policy per ...

https://learn.microsoft.com/aspnet/core/security/authentication/configure-oidc-web-authentication#force-authorization

... and then use [AllowAnonymous] to opt out for pages that shouldn't require authz, as shown in the next two sections ...

@damienbod will comment further when he gets on here. I'm 👀 on your issue for a separate reason: I might want to provide a cross-link or two in the Blazor OIDC article for this very common scenario.

@damienbod
Copy link
Contributor

damienbod commented Jan 24, 2025
edited
Loading

Yes, this sounds good. Lock everything down and opt out for the public endpoints with the [AllowAnonymous]

@guardrex
Copy link
Collaborator

Thanks, @damienbod. I'll take a quick stab at a few words in the section on Force authorization to this effect. I'll ping you for review on the PR in a few minutes.

@guardrex guardrex self-assigned this Jan 24, 2025
@guardrex guardrex moved this from 🔖 Ready to 🏗 In progress in dotnet/AspNetCore.Docs January 2025 sprint Jan 24, 2025
@guardrex guardrex mentioned this issue Jan 24, 2025
Merged
@github-project-automation github-project-automation bot moved this from 🏗 In progress to ✅ Done in dotnet/AspNetCore.Docs January 2025 sprint Jan 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@guardrex guardrex

Labels
aspnet-core/svc doc-enhancement Pri1 security/subsvc Source - Docs.ms Docs Customer feedback via GitHub Issue
Projects
dotnet/AspNetCore.Docs January 2025 sprint
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add remark on opting out of authz dotnet/AspNetCore.Docs
3 participants
@guardrex @damienbod @jchoca