AuthorizationEvaluator should check authentication state #56
Comments
|
Also seems odd that AuthorizeWith() and RequireAuthorization() extensions methods don't do any authorization checks by calling the internal Authorization evaluator and only check for claim matches. |
|
The “next” branch adds an Authorization requirement that you can use to check for an authenticated user. You can add that requirement today in your own codebase if you wish. |
|
Ahhhh... .RequireAuthorization() is not to mark a type as requiring authorization. It is a convenience method for checking if any policies have been defined against the type using the .AuthorizeWith() method. As such there is no method currently for flagging a type needs to be authorized but not against specific policies, correct? I guess the requirement you suggest would still need to be registered against a policy and that policy used e.g. .AuthorizeWith("authenticated"); |
|
Yes. A policy could be anything, not only related to the authenticated user. Such as, maybe your policy checks a configuration value or something like that. |
|
See #49 (comment) Once you get used to the setup, it's actually pretty straight forward. |
|
@Vouzamo Is this issue still actual? |
|
Closed due to inactivity. |
The first thing in the default AuthorizationEvaluator .Evaluate method should be a check of principal.Identity.IsAuthenticated to conditionally return an AuthenticationResult.Fail() if false since claims are only valid for an authenticated user.
The text was updated successfully, but these errors were encountered: