Authorization failing for custom authentication handler for ASP.NET Core 3.1?

kovac

I am trying to implement a simple api key based authentication handler. My handler method is

protected override Task<AuthenticateResult> HandleAuthenticateAsync()
{
    // Get the apiKey from a store...
    if (apiKey != header.Parameter)
    {
        var error = "Invalid username or api key.";
        return Task.FromResult(AuthenticateResult.Fail(error));
    }

    var claims = new List<Claim> {new Claim("user", (string)username)};
    var identity = new ClaimsIdentity(claims);
    var principal = new ClaimsPrincipal(identity);
    var ticket = new AuthenticationTicket(principal, header.Scheme);

    return Task.FromResult(AuthenticateResult.Success(ticket));
}

When I make the request with the correct username and the api key, the method above returns AuthenticateResult.Success(ticket) as expected. However, my controller action is not getting invoked despite being correctly authenticated. Instead, the Task HandleChallengeAsync(AuthenticationProperties properties) is getting called and is returning 401 unauthorised response.

I'm registering my authentication handler in startup class like:

public void ConfigureServices(IServiceCollection services)
{
    // register controllers, etc.
    services.AddAuthentication("ApiKey").AddApiKeyBearer();
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env,
    IHostApplicationLifetime applicationLifetime)
{
    app.ConfigureExceptionHandler()
            .UseRouting()
            .UseAuthentication()
            .UseAuthorization()
            .UseEndpoints(builder => builder.MapControllers());
}

How can I avoid the challenge since the authentication is already successful?

kovac

I managed to find out the answer here. Basically, I needed to override the default authorization policy in the startup class like so

services.AddAuthorization(o =>
{
    var builder = new AuthorizationPolicyBuilder("ApiKey);
    builder = builder.RequireClaim("user");
    o.DefaultPolicy = builder.Build();
});

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at
0

Comments

0 comments
Login to comment

Related

Custom Authentication in ASP.Net-Core

Using the Authorize Attribute with Custom Cookie Authentication in ASP.NET Core

ASP.NET Core Web API + Angular 2 Authorization and Authentication

ASP.NET Core with optional authentication/authorization

ASP.NET Core Custom Policy Based Authorization - unclear

Asp.Net Core custom authorization always ends with 401 Unauthorized

Custom Authentication using legacy user table in Asp.Net Core

Custom authentication asp.net core web api

Asp.net Core Persistent Authentication - Custom Cookie Authentication

asp.net core 2.0 Authorization is firing before authentication (JWT)

Custom Bearer Token Authorization for ASP.Net Core

ASP.NET Core Authorization Policies: Can't step into the handler?

Windows Authentication Asp.net core 2 database role authorization

ASP.NET Core 2.0 Preview 1: How to set up Cookie Authentication with custom login path

Custom Authorization in Asp.net core 2.1 web api

.Net Core 3 Custom Authorization Policy - Access to Action Verb

ASP.Net Core 3.0 Windows Authentication with Custom Role Based Authorization

Asp Net Core 3.1 Authorization by Custom Roles

Custom authorization filter not working in ASP.NET Core 3

Override authorization policy in ASP.NET Core 3

Custom Authentication and Authorization for different user types in asp.net mvc

Custom Authentication mechanism in ASP.Net Core

custom authorization in asp.net core mvc

Custom Authorization attribute asp.net core

Custom Authorization attribute doesn't allow authorize in asp.net core 3

ASP.Net Core 5.0 Authentication and Authorization

ASP.NET Core Custom Authorization & Memory Cache

Custom authorization in ASP.NET Core with enum roles

Migrate Authentication/Authorization Functionality from ASP.NET 4.8 to ASP.NET Core 6