Update Authorization Section (#14024)

dotnet · Aug 26, 2019 · 443289f · 443289f
1 parent 89babd8
commit 443289f
Showing 1 changed file with 82 additions and 5 deletions.
diff --git a/aspnetcore/migration/22-to-30.md b/aspnetcore/migration/22-to-30.md
@@ -4,7 +4,7 @@ author: rick-anderson
 description: Learn how to migrate an ASP.NET Core 2.2 project to ASP.NET Core 3.0.
 ms.author: riande
 ms.custom: mvc
-ms.date: 08/17/2019
+ms.date: 08/26/2019
 uid: migration/22-to-30
 ---
 # Migrate from ASP.NET Core 2.2 to 3.0
@@ -281,9 +281,9 @@ public class HomeController : ControllerBase
 }
 ```
 
-If the app uses an `AuthorizeFilter` as a global filter in MVC, we recommend refactoring the code to provide a policy to the `UseAuthorization` middleware.
+If the app uses an `AuthorizeFilter` as a global filter in MVC, we recommend refactoring the code to provide a policy in the call to `AddAuthorization`.
 
-In the following example, a custom policy to be applied to all requests when `UseAuthorization` is called, and the `HomeController` allows access without the user signing into the app:
+The `DefaultPolicy` is initially configured to require authentication, so no additional configuration is required. In the following example, MVC endpoints are marked as `RequireAuthorization` so that all requests must be authorized based on the `DefaultPolicy`. However, the `HomeController` allows access without the user signing into the app due to `[AllowAnonymous]`:
 
 ```csharp
 public void Configure(IApplicationBuilder app)
@@ -293,7 +293,84 @@ public void Configure(IApplicationBuilder app)
     app.UseRouting();
 
     app.UseAuthentication();
-    app.UseAuthorization(new AuthorizationPolicyBuilder().Build()));
+    app.UseAuthorization();
+
+    app.UseEndpoints(endpoints =>
+    {
+        endpoints.MapDefaultControllerRoute().RequireAuthorization();
+    });
+}
+
+[AllowAnonymous]
+public class HomeController : ControllerBase
+{
+    ...
+}
+```
+
+Policies can also be customized. Building upon the previous example, the `DefaultPolicy` is configured to require authentication and a specific scope:
+
+```csharp
+public void ConfigureServices(IServiceCollection services)
+{
+    ...
+
+    services.AddAuthorization(options =>
+    {
+        options.DefaultPolicy = new AuthorizationPolicyBuilder()
+          .RequireAuthenticatedUser()
+          .RequireScope("MyScope")
+          .Build();
+    });
+}
+
+public void Configure(IApplicationBuilder app)
+{
+    ...
+
+    app.UseRouting();
+
+    app.UseAuthentication();
+    app.UseAuthorization();
+
+    app.UseEndpoints(endpoints =>
+    {
+        endpoints.MapDefaultControllerRoute().RequireAuthorization();
+    });
+}
+
+[AllowAnonymous]
+public class HomeController : ControllerBase
+{
+    ...
+}
+```
+
+Alternatively, all endpoints can be configured to require authorization without `[Authorize]` or `RequireAuthorization` by configuring a `FallbackPolicy`. The `FallbackPolicy` is different from the `DefaultPolicy`. The `DefaultPolicy` is triggered by `[Authorize]` or `RequireAuthorization`, while the `FallbackPolicy` is triggered when no other policy is set. `FallbackPolicy` is initially configured to allow requests without authorization.
+
+The following example is the same as the preceding `DefaultPolicy` example but uses the `FallbackPolicy` to always require authentication on all endpoints except when `[AllowAnonymous]` is specified:
+
+```csharp
+public void ConfigureServices(IServiceCollection services)
+{
+    ...
+    services.AddAuthorization(options =>
+    {
+        options.FallbackPolicy = new AuthorizationPolicyBuilder()
+          .RequireAuthenticatedUser()
+          .RequireScope("MyScope")
+          .Build();
+    });
+}
+
+public void Configure(IApplicationBuilder app)
+{
+    ...
+
+    app.UseRouting();
+
+    app.UseAuthentication();
+    app.UseAuthorization();
 
     app.UseEndpoints(endpoints =>
     {
@@ -310,7 +387,7 @@ public class HomeController : ControllerBase
 
 Authorization by middleware works without the framework having any specific knowledge of authorization. For instance, [health checks](xref:host-and-deploy/health-checks) has no specific knowledge of authorization, but health checks can have a configurable authorization policy applied by the middleware.
 
-In the following example, `UseAuthorization` processes authorization without a default policy, but the `/healthz` health check endpoint requires the user to be in the `admin` role: 
+Additionally, each endpoint can customize its authorization requirements. In the following example, `UseAuthorization` processes authorization with the `DefaultPolicy`, but the `/healthz` health check endpoint requires an `admin` user:
 
 ```csharp
 public void Configure(IApplicationBuilder app)