Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IAllowAnonymous no longer appears in AuthorizationFilterContext.Filters collection #391

syndicatedshannon opened this issue Oct 17, 2019 · 0 comments


Copy link

@syndicatedshannon syndicatedshannon commented Oct 17, 2019

IAllowAnonymous no longer appears in the AuthorizationFilterContext.Filters collection

As noted in code, now

MVC does not add AllowAnonymousFilters for AllowAnonymousAttributes

While this is addressed locally for derivatives of AuthorizeAttribute, it is a breaking change for IAsyncAuthorizationFilter and IAuthorizationFilter implementations. Such implementations wrapped in a TypeFilterAttribute are a popular, and to the best of my knowledge still supported, method to achieve strongly-typed attributed-based Authorization, where both configuration and DI is required.

Version introduced


Old behavior

IAllowAnonymous appeared in AuthorizationFilterContext.Filters collection. Testing for presence was a valid approach to override/disable the filter on individual controller methods.

New behavior

IAllowAnonymous no longer appears in AuthorizationFilterContext.Filters collection. IAsyncAuthorizationFilter implementations dependent on this will typically now cause intermittent 401 Unauthorized or 403 Forbidden responses.

Reason for change

New Endpoint strategy.

Recommended action

Also search endpoint metadata for IAllowAnonymous, as demonstrated here. Example:

 null != context.HttpContext.GetEndpoint()?.Metadata?.GetMetadata<IAllowAnonymous>()



Affected APIs

Not detectable via API analysis

Issue metadata

  • Issue type: breaking-change
@aspnet aspnet locked as resolved and limited conversation to collaborators Oct 17, 2019
@mkArtakMSFT mkArtakMSFT added this to the 3.0.0 milestone Oct 17, 2019
@mkArtakMSFT mkArtakMSFT added the 3.0.0 label Oct 17, 2019
@mkArtakMSFT mkArtakMSFT added the 3.0.0 label Oct 17, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
3 participants
You can’t perform that action at this time.