AllowAnonymous无法使用azure广告验证

Question

I have a Asp.net MVC application in which I am using Azure AD authentication to authenticate the users. I want to allow users to access some of the api controller without login. I tried putting [AllowAnonymous] attribute on top of the controllers to skip these controllers from authentication, however its always redirecting to microsoft login page for credentials. Code snippet from Startup.cs:

public void ConfigureAuth(IAppBuilder app)
    {
        string clientId = GetConfigValue("ida_ClientId");
        string aadInstance = GetConfigValue("ida_AADInstance");
        string tenant = GetConfigValue("ida_Tenant");
        string domain = GetConfigValue("ida_Domain");
        string authority = GetConfigValue("ida_Authority");
        string postLogoutRedirectUri = GetConfigValue("ida_RedirectUri");

        bool devEnvironment = Convert.ToBoolean(GetConfigValue("DevEnvironment"));

        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        app.UseCookieAuthentication(new CookieAuthenticationOptions()
        {
            CookieHttpOnly = true,
            CookieSecure = devEnvironment ? CookieSecureOption.SameAsRequest : CookieSecureOption.Always,
        });

        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            ClientId = clientId,
            Authority = authority,
            PostLogoutRedirectUri = postLogoutRedirectUri,
            RedirectUri = postLogoutRedirectUri,
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                AuthenticationFailed = context =>
                {
                    context.HandleResponse();
                    context.Response.Redirect("/Error?message=" + context.Exception.Message);
                    return Task.FromResult(0);
                }
            }
        });
    }

    private string GetConfigValue(string key)
    {
        if (RoleEnvironment.IsAvailable)
        {
            return RoleEnvironment.GetConfigurationSettingValue(key);
        }
        else
        {
            return ConfigurationManager.AppSettings[key];
        }
    }
}

Please let me know if I am missing anything. Thanks in advance

Answer 1

This is expected behavior. Easy Auth is implemented as a native IIS module that runs in the same sandbox as your application. When enabled, every HTTP request dispatched to the IIS worker process must first pass through this module before your application code has a chance to react.

The request will be dispatched to the web app unless it is authenticated and the AllowAnonymous will not work in this scenario. If you want to allow the anonymous request, you can implement the authentication using OWIN component instead of using the Easy Auth.

Here is an example protect the MVC with OpenId component:

active-directory-dotnet-webapp-openidconnect

And more detail about Easy Auth, you can refer the CGillum's blog

Architecture of Azure App Service Authentication / Authorization

Answer 2

It seems to me like Anonymous is allowed on any page unless one of these four settings are applied:

At the bottom of the ConfigureAuth method of the Startup.Auth class:

    // This makes any middle-ware defined above this line run before the Authorization rule is applied in web.config
    app.UseStageMarker(PipelineStage.Authenticate);

Attribute on the controller class/method:

    [Authorize]
    public class HomeController : Controller

App_Start global filter:

public class FilterConfig
{
    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        filters.Add(new AuthorizeAttribute());
    }
}

In the system.web section of Web.config

<system.web>
  <authorization>
    <deny users="?" />
  </authorization>
</system.web>

So you basically have to think in reverse by removing any global settings and then requiring authentication on the views to restrict.