Bypass (ignore) AuthorizeAttribute when Authorization is disabled #23564
-
An exception is thrown when AuthorizeAttribute is used on an endpoint when Authorization is disabled (no UseAuthentication/UseAuthorization, we have it disabled on development env). I tried adding AllowAnonymous filter which some people suggested but the exception is still thrown. Is there a way to bypass this behavior? I know I can use a dummy AuthenticationHandler but it seems hacky to add the whole auth pipeline just to ignore the AuthorizeAttribute, and also the roles are still checked so I would need to add all existing roles in that dummy AuthenticationHandler. Ideally I would want the authorization to be completely disabled, roles should not be checked on development env. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
This check prevents a serious issue of people accidentally disabling security checks in production. If you're altering startup for tests, consider setting the default authorization policy to one that does not require authenticated users. |
Beta Was this translation helpful? Give feedback.
This check prevents a serious issue of people accidentally disabling security checks in production.
If you're altering startup for tests, consider setting the default authorization policy to one that does not require authenticated users.