Aspnetcore: Authorization broken in Razor Pages .Net Core 3.0 preview 3

Created on 10 Mar 2019 · 10Comments · Source: dotnet/aspnetcore

Asp.Net Core Identity 3.0 Preview 3 template with RP
Authorize attribute does nothing on the Privacy page
AuthorizePage nothing
AuthorizeFolder nothing

You can also navigate to /Identity/Account/Manage, which should trigger back to login whereas it shows Unable to load user with ID '' gotten from the get request.
Is this planned for preview 4?
Related to https://github.com/aspnet/AspNetCore/issues/7011 which is flagged as done and closed but does not work.

Done area-mvc blocked bug

Source

Ponant

Most helpful comment

The root cause of this issue is that the methods like AuthorizePage create an AuthorizeFilter but we also need an IAuthorizeData to show up in the endpoint metadata.

Since AuthorizeFilter is an MVC feature, it won't get executed by the authorization middleware - however the authorization middleware will run and suppress the filter.

We had a test gap in this area due to some functional tests that weren't running in the correct configuration. Updating the test app setup to be more like our documentation caused these tests to fail. I plan to check in the changes to the test setup as part of some other changes and skip the tests related to this issue.

To be crystal clear on the point - this is is a bug, and it is broken in preview 3. Official releases such as 2.2 do not have this bug.

rynowak on 24 Mar 2019

👍2

All 10 comments

@Ponant can you show exactly what modifications you made to the app after the initial project was created?

Eilon on 10 Mar 2019

@Eilon , go to the Identity/Account/Manage page of the template; there is no need to change anything to the template to get this bug.
Otherwise, you can do this

    [Authorize]
    public class PrivacyModel : PageModel

but you will be able to access the Privacy page

Also

 services.AddMvc().AddRazorPagesOptions(o=>o.Conventions.AuthorizePage("/Privacy"))
                .AddNewtonsoftJson();

does nothing.
Same for AuthorizeFolder. I did not test further as there is clearly a huge hole while the issue is absent in 2.2.

Ponant on 11 Mar 2019

@javiercn / @pranavkm - any idea?

Eilon on 11 Mar 2019

Not sure what's happening here, but I'll take a look.

javiercn on 11 Mar 2019

Just create the identity template and navigate to identity/account/manage and you should see it traversing the get request whereas it requires authorization. You can also use the AuthorizePage and the like and it should just ignore them. Let me know if you can reproduce. Cheers

Ponant on 11 Mar 2019

Thanks for the details, @Ponant.
I could repro this using Preview3 bits.
This is where the failure is coming from: https://github.com/aspnet/AspNetCore/blob/c95ee2b051814b787b07f55ff224d03d550aafeb/src/Identity/samples/IdentitySample.DefaultUI/Areas/Identity/Pages/Account/Manage/Index.cshtml.cs#L68
Obviously, the expectation here is that the user should be known. So indeed, authorization was completely bypassed.

mkArtak on 13 Mar 2019

@mkArtak , out of curiosity, do you know from where the bug comes from?

Ponant on 13 Mar 2019

Not really, @Ponant. Let's wait for @pranavkm to handle this - he'll do a great job here.

mkArtak on 14 Mar 2019

The root cause of this issue is that the methods like AuthorizePage create an AuthorizeFilter but we also need an IAuthorizeData to show up in the endpoint metadata.

Since AuthorizeFilter is an MVC feature, it won't get executed by the authorization middleware - however the authorization middleware will run and suppress the filter.

To be crystal clear on the point - this is is a bug, and it is broken in preview 3. Official releases such as 2.2 do not have this bug.

rynowak on 24 Mar 2019

👍2

@pranavkm , is it possible to know the cause of the bug? Thanks for the fix!

Ponant on 9 Apr 2019

Was this page helpful?

0 / 5 - 0 ratings