Problem with authorization through policy's/requirements

[mythjuha]

Almost certainly i'm doing something wrong, but i've been searching for days with no luck.

In my project, i'm using custom implementations of userstore, passworsstore, etc ... . And a custom class as "User".

services.AddScoped<IUserStore<Person>, AuthenticationService>();
services.AddScoped<IUserPasswordStore<Person>, AuthenticationService>();
services.AddScoped<IUserEmailStore<Person>, AuthenticationService>();
services.AddScoped<IUserRoleStore<Person>, AuthenticationService>();
services.AddScoped<IUserPhoneNumberStore<Person>, AuthenticationService>();
services.AddScoped<IUserLockoutStore<Person>, AuthenticationService>();
services.AddScoped<IRoleStore<LoginRole>, AuthenticationService>();

services.AddIdentity<Person, LoginRole>(o =>
             .AddDefaultTokenProviders();

services.AddAuthorization((options) => 
{
options.AddPolicy("PolicyName", policy =>
            {
                policy.AddRequirements(new Authorization.SomeRequirement(sp.GetService<UserManager<Person>>()));
                policy.RequireAuthenticatedUser();
            });
);

In a API controller that has the policy as authorization, the code is executed and succees. However, my logs show me the following message:

Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware: Information: HttpContext.User merged via AutomaticAuthentication from authenticationScheme: Identity.Application.
Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware: Information: AuthenticationScheme: Identity.Application was successfully authenticated.
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization failed for user: my_username.
Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Warning: Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.
Microsoft.AspNetCore.Mvc.ChallengeResult: Information: Executing ChallengeResult with authentication schemes (Identity.Application).
Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware: Information: AuthenticationScheme: Identity.Application was forbidden.

What is the DefaultAuthorizationService and why is it being called?

[Tratcher]

DefaultAuthorizationService is the default implementation that evaluates policies. One of your requirements is failing.

[mythjuha]

Is there a way to know which one? Because the policy only has 1 requirement, and when placing breakpoints, it succeeds:

context.Succeed(requirement);

Some more interesting info:

• For each request, the requirement is called twice (and succeeds twice).
• Sometimes it does work. For now I'm unable to point out why. If i just call the API multiple times, sometimes it returns a result sometimes it doesn't. ( http://prntscr.com/bbr4y7 ). Even when it does, the requirement is still called twice. (Ignore the 404's. It's the cookie middleware thats trying to redirect to the login page. Still trying to disable this behaviour).
• Regular [Authorize] works perfectly

[Eilon]

We should add some verbose logging for when evaluations of a policy succeed.

[HaoK]

Will use this #901 to track this general issue