[Exploratory Testing] Cannot add authz for apis in a single app.

[harshgMSFT]

Currently if there is a thick client which targets the same service as the browser, with a custom authorization middleware, even in case of authorization failure, the client receives a 200.(instead of a 401 or 403).

The reason is that there is no way of specifying the authentication type within the authz service. Since to enable browser based authz, cookie middleware has to be added, even if a custom middleware is added, the response gets redirected to a login page in case of a 401, which results in a 200 response getting sent back to an api based client (windows phone app).

The workaround today is either :

1. Have apis and browser based app as separate end points.
2. Call the cookie middleware within your custom middleware.

cc: @Tratcher , @HaoK /

[lodejard]

When authorization fails, are you calling Challenge(authtypes) with the bearer authentication type? If you do so then only the named types will participate in the response, and the cookie middleware will not redirect.

Having the authtypes on the policy connected to an authorize attribute will have the same effect.

[harshgMSFT]

I tried adding the auth type to the policy and that did not work.

  services.Configure<BasicAuthOptions>(options =>
            {
                options.AuthenticationMode = AuthenticationMode.Passive;
                options.AuthenticationType = "BasicAuth";
            });

options.AddPolicy("Api", policyBuilder => policyBuilder.AddAuthenticationTypes("BasicAuth")
                                                                            .RequireAuthenticatedUser());

I think the issue is that AuthorizeAttribute does not call challenge today.

[HaoK]

This should be working now