Yup, this is by design. Starting in 3.1, authorization attributes are handled by the [authorization middleware](https://github.com/BrightSoul/AuthorizationHandlerMultipleInvocations/blob/master/Startup.cs#L63) instead of being evaluated by MVC's authorization filter. However if you explicitly add an `AuthorizationFilter`, it would get separately executed.

[tnlthanzeel]

          Yup, this is by design. Starting in 3.1, authorization attributes are handled by the [authorization middleware](https://github.com/BrightSoul/AuthorizationHandlerMultipleInvocations/blob/master/Startup.cs#L63) instead of being evaluated by MVC's authorization filter. However if you explicitly add an `AuthorizationFilter`, it would get separately executed.

Instead of adding a AuthorizationFilter, consider using using RequireAuthorization on an endpoint: e.g.

endpoints.MapControllerRoute(
                    name: "default",
                    pattern: "{controller=Home}/{action=Index}/{id?}").
   RequireAuthorization("some_policy");

This would a substitute to adding a global auth filter.

Originally posted by @pranavkm in #32518 (comment)

How to do this to a specific controller in an ASP Core 7 application which has only API contollers?

[halter73]

[Authorize(Policy = "some_policy")] should still just work.

#32518 was about policies running twice when you add a policy both using MvcOptions.Filters and an attribute which is by design. Using RequireAuthorization is an alternative to filters for applying a policy globally without rerunning them.

[tnlthanzeel]

@halter73 , This still happens in ASP Core 7.

Hi have a controller like below

[Route("api/events")]
[Authorize(policy: ApplicationAuthPolicy.HasAccessToEvent)] // this is the custom policy which get called 3 time in the HandleRequirementAsync() method
public sealed class EventsController : AppControllerBase
{
    private readonly IEventService _eventService;

    public EventsController(IEventService eventService)
    {
        _eventService = eventService;
    }

    [HttpPost]
    [Authorize(policy: ApplicationAuthPolicy.EventPolicy.Create)]
    [ProducesResponseType(typeof(ResponseResult<EventDto>), StatusCodes.Status201Created)]
    public async Task<ActionResult> CreateEvent([FromBody] CreateEventDto model, CancellationToken cancellationToken)
    {
        var response = await _eventService.CreateEvent(model, cancellationToken);

        return response.Success ? CreatedAtRoute(nameof(GetEventById), new { id = response.Data!.Id }, response) : UnsuccessfullResponse(response);
    }
}

And my Program.cs look like below

services.AddIdentity<ApplicationUser, Role>(options =>
        {
            options.Password.RequiredLength = 14;
            options.Password.RequireLowercase = true;
            options.Password.RequireUppercase = true;
            options.Password.RequireNonAlphanumeric = true;
            options.Password.RequireDigit = true;
            options.User.RequireUniqueEmail = true;
            options.SignIn.RequireConfirmedEmail = false;
        })
          .AddEntityFrameworkStores<AppDbContext>()
          .AddDefaultTokenProviders();

        services.Configure<PasswordHasherOptions>(option =>
        {
            option.IterationCount = 512_000;
        });

        JwtConfig jwtData = new();

        builder.Configuration.Bind(nameof(JwtConfig), jwtData);

        services.AddAuthentication(auth =>
        {
            auth.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            auth.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
            auth.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
        })
          .AddJwtBearer(options =>
            {
                options.RequireHttpsMetadata = !builder.Environment.IsDevelopment();
                options.SaveToken = false;
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuer = true,
                    ValidIssuer = jwtData.Issuer,
                    ValidateAudience = true,
                    ValidAudience = jwtData.Audience,
                    ValidateIssuerSigningKey = true,
                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtData.SigningKey)),
                    ClockSkew = TimeSpan.Zero,
                    ValidateLifetime = true
                };

                //This code came from https://www.blinkingcaret.com/2018/05/30/refresh-tokens-in-asp-net-core-web-api/
                //It returns a useful header if the JWT Token has expired

                options.Events = new JwtBearerEvents
                {
                    OnForbidden = async context =>
                    {
                        context.Response.ContentType = applicationJSONContentType;
                        context.Response.StatusCode = StatusCodes.Status403Forbidden;

                        await context.Response.WriteAsync(Serializer.Serialize(new ErrorResponse()
                        {
                            Errors = new List<KeyValuePair<string, IEnumerable<string>>>
                                {
                                new (nameof(HttpStatusCode.Forbidden), new[] { "Access denied" })
                                }
                        }));
                    },

                    OnChallenge = async context =>
                    {
                        context.HandleResponse();

                        context.Response.ContentType = applicationJSONContentType;
                        context.Response.StatusCode = StatusCodes.Status401Unauthorized;

                        await context.Response.WriteAsync(Serializer.Serialize(new ErrorResponse()
                        {
                            Errors = new List<KeyValuePair<string, IEnumerable<string>>>
                            {
                                new (nameof(HttpStatusCode.Unauthorized), new[] { "Your login has expired, please login again" })
                            }
                        }));
                    }
                };
            });

       // the below  line registers the custom requirement
        services.AddTransient<IAuthorizationHandler, EventAccessRequirementHandler>();


        services.AddAuthorization(options =>
        {
            options.AddPolicy(ApplicationAuthPolicy.HasAccessToEvent,
                        policy =>
                        {
                            policy.Requirements.Add(new EventAccessRequirement());
                        });
        });

var app = builder.Build();

app.UseCors();

app.UseAuthentication();

app.UseAuthorization();

app.MapControllers().RequireAuthorization();


app.Run();

And my Custom Requirement like below

public sealed class EventAccessRequirementHandler : AuthorizationHandler<EventAccessRequirement>
{
    private readonly ILoggedInUserService _loggedInUserService;
    private readonly IUserSecurityRespository _userSecurityRespository;

    public EventAccessRequirementHandler(ILoggedInUserService loggedInUserService, IUserSecurityRespository userSecurityRespository)
    {
        _loggedInUserService = loggedInUserService;
        _userSecurityRespository = userSecurityRespository;
    }

    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, EventAccessRequirement requirement)
    {
        if (context.User.Identity!.IsAuthenticated is false)
        {
            context.Fail();
            return;
        }

        var userEmail = _loggedInUserService.UserEmail;

        if (userEmail is null)
        {
            context.Fail();
            return;
        }

        var user = await _userSecurityRespository.GetUser(context.User);

        if (user is null)
        {
            context.Fail();
            return;
        }


        bool isSuperAdmin = _loggedInUserService.UserId == AppConstants.SuperAdmin.SuperUserId.ToString();

        if (isSuperAdmin)
        {
            context.Succeed(requirement);
            return;
        }

        bool hasAccessToEvent = await _userSecurityRespository.HasAccessToEvent(user.Id, _loggedInUserService.FacetsEventId);

        if (hasAccessToEvent)
        {
            context.Succeed(requirement);
            return;
        }

        else
        {
            context.Fail();
        }
    }
}

[halter73]

How are the MvcOptions configured? Can you please post a complete repro app?

This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes.

See our Issue Management Policies for more information.

[tnlthanzeel]

@halter73 , i was out this week, i will post a repo tomoro so you go through it, thanks

[tnlthanzeel]

hi @halter73 , here is the minimal repo link to the repository

1. run the API project.
2. just go to https://localhost:<your port number>/index.html, this will open swagger.
3. go the the secusity end point and, click on try and and execute the request. values doesnt really matter.
4. get the jwt token and past it to the authenticator of swagger without 'bearer'
5. just execute the Event gen API end point. this will call the EventAccessRequirementHandler and UserClaimRequirementHandler 3 times which is the issue