How to protect all controllers by default with bearer token in ASP.NET Core?
Solution 1
Starting with .Net 6
we can do this (if using minimal hosting model recommended by Microsoft):
app.MapControllers().RequireAuthorization();
Starting with .Net Core 3
we can do this:
app.UseEndpoints(endpoints =>
{
endpoints
.MapControllers()
.RequireAuthorization(); // This will set a default policy that says a user has to be authenticated
});
It is possible to change default policy or add a new policy and use it as well.
P.S. Please note that even though the method name says "Authorization", by default it will only require that the user is Authenticated. It is possible to add more policies to extend the validation though.
Solution 2
You can still use filters as in this example:
services.AddMvc(config =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
config.Filters.Add(new AuthorizeFilter(policy));
});
The policy in this example is very simple but there a lots of ways to configure a policy for various requirements, roles etc.
Related videos on Youtube
Ilya Chernomordik
You know, everyone wants a badge, so I have to write something in here :)
Updated on June 07, 2022Comments
-
Ilya Chernomordik almost 2 years
I have added a JWT middleware to my application:
app.UseJwtBearerAuthentication(options => { options.AutomaticAuthenticate = true;} )
No the funny thing is that it throws 500 exception (should be changed to 401 in later releases) for ALL actions, even those that are not protected at all (don't have authorize attribute). It seems to me that this is wrong but maybe I am doing something wrong myself.
Ideally what I want to achieve is that all actions are protected by default (there were filters for that in previous ASP.NET), and I will put Anonymous on those that I want public or perhaps Authorize("SomePolicy") if I want additional policies, but I want that without a token the API cannot be accessed at all. How do I do this in the new ASP.NET (I know I can inherit from some controller with this attribute, but I hope there is a better way of doing it)?
-
Joe Audette over 8 yearsyou can find additional authorization examples here: github.com/blowdart/AspNetAuthorizationWorkshop
-
Ilya Chernomordik over 8 yearsThanks, I will try, but do you know what to do with the problem of jwt middleware throwing exceptions for public API?
-
Ilya Chernomordik over 8 yearsI have made a separate question for that: stackoverflow.com/questions/34995518/…. You answer fixed the original problem though, thanks :)
-
bvj over 3 yearsI guess RequireAuthorization implies Authentication.
-
Ilya Chernomordik over 3 yearsYou can check the comment in the code that explains exactly this: it adds the default policy for all controllers where authorization means authentication only (default policy). This can be further configured or changed by using policies. But the naming is not perfect and quite confusing, I agree
-
Bernoulli IT over 2 yearsSame as the always confusing 401
Unauthorized
which should have been namedUnauthenticated
. MDN: "Although the HTTP standard specifies "unauthorized", semantically this response means "unauthenticated". That is, the client must authenticate itself to get the requested response." -
Juan Stoppa over 2 yearsthis doesn't seem to work for .NET 5, you need to add a policy in AuthorizationPolicyBuilder (e.g. AuthorizationPolicyBuilder(new string [] { "defaultPolicy" })