AllowAnonymous Attribute not working MVC 5

11,934

Solution 1

I've just written about this in my book - http://aka.ms/zumobook - look in Chapter 6 for the MVC section.

The basic gist of it is that you need to do a little more to enable authentication; most specifically, you need to set up an auth pipeline (Azure Mobile Apps Server SDK will do this for you) and you need to set up a forms redirect within Web.config:

<system.web>
  <compilation debug="true" targetFramework="4.5.2"/>
  <httpRuntime targetFramework="4.5.2"/>
  <authentication mode="Forms">
    <forms loginUrl="/.auth/login/aad" timeout="2880"/>
  </authentication>
</system.web>

Since there are several details to adding the Mobile Apps SDK to your ASP.NET application, I'd refer to the referenced chapter for those details.

Solution 2

Check your web.config if you have

<authorization>
  <deny users="?" />
</authorization>

its override [AllowAnonymous] add

<location path="YourController/AnonymousMethod">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

to allow anonymous access

Share:
11,934
Green_qaue
Author by

Green_qaue

Updated on June 23, 2022

Comments

  • Green_qaue
    Green_qaue almost 2 years

    Inside the Azure Portal I set App Service Authentication "On" For my Web App and I use AAD as Authentication Provider.

    This has worked great up until now, I need an endpoint that will allow anonymous users, however the attribute [AllowAnonymous] does not work, I am still required to sign in.

    Code:

    [Authorize]
    [RoutePrefix("users")]
    public class UsersController : Controller
    {
        [Route("register/{skypeid}")]
        public ActionResult Register(string skypeid)
        {
                ///stuff...            
            }
            catch (Exception ex)
            {
                return Content(ex + "");
            }
    
            ViewBag.Name = name;
            return View();
    
        }
    
        [AllowAnonymous]
        [Route("exists/{skypeid}")]
        public ActionResult Exists(string skypeid)
        {
            return Content("Hello " + skypeid);
        }
    

    I think the code is right, so does it have something to do with the fact that I use App Service Authentication for my Web App?

    EDIT: So, I found the source of the problem, In Azure if you set "Action to take when not Authenticated" to "Sign in with Azure Active Directory", it does never allow anonymous.

    However, If I change it to allow anonymous then users are not prompted to sign in when trying to access a control with the [Authorize]-Attribute, it just tells me "You do not have permission to view this directory or page." Is this intended? It seems really weird. I want users to be redirected to Login if there is an [Authorize]-Attribute.

    Screenshots for clarity:

    enter image description here enter image description here

  • Green_qaue
    Green_qaue about 7 years
    Thanks, Ill accept this answer. I decided to change approach to authorization and went with Open ID Connect instead. Lets me have more control.
  • Kelly Elton
    Kelly Elton over 5 years
    Where do you add that block of xml?
  • alexey
    alexey about 5 years
    It's should be in </configuration> tag