×
Masaaki Komori

Defaulting ASP.NET Core 3.1 To Require Authentication For A Safer Developer Experience

Written by Ken Dale
3
This post is days old.

Typically with ASP.NET Core 3.1 when no specific authorization requirements are set all endpoints are publicly accessible. When you’re working with an authenticated required system the burden is on the developer to remember to use [Authorize] attributes everywhere appropriate. This can lead to bugs by omission – and, could result in a serious data breach.

Solution

For a safe-by-default experience, we can require authentication when no specific instructions are set.

namespace MyWebApplication
{
    public class Startup
    {
        private static readonly string PublicAuthorizationPolicy = "PublicPolicy";

        public void ConfigureServices(IServiceCollection services)
        {
            services.AddRouting();
            services.AddAuthentication();
            services.AddAuthorization(options =>
            {
                options.AddPolicy(
                    PublicAuthorizationPolicy,
                    new AuthorizationPolicyBuilder()
                        .RequireAssertion(_ => true)
                        .Build());

                options.FallbackPolicy = new AuthorizationPolicyBuilder()
                    .RequireAuthenticatedUser()
                    .Build();
            });
        }

        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            app.UseRouting();
            app.UseAuthentication();
            app.UseAuthorization();

            app.UseEndpoints(endpoints =>
            {
                // Allow public access for a health check
                endpoints.MapHealthChecks("/_health")
                    .RequireAuthorization(PublicAuthorizationPolicy);

                // Everything that doesn't explicitly allow
                // anonymous users requires authentication.
                endpoints.MapControllers();
            });
        }
    }
}

At least one assertion is required when configuring an auth policy. We can satisfy this requirement while enabling public access via RequireAssertion(_ => true) – always allow everyone.

Summary

Safe-by-default authentication and authorization is a good strategy, especially when the consequences for making a mistake are severe. We can make ASP.NET Core 3.1 safe-by-default by authenticating all requests by default, while still maintaining a way to create public endpoints as needed. With public endpoints explicitly defined mistakes can’t be made by forgetting to do something.

Ken Dale
Ken Dale
Senior Application Developer (Former)
asp.net core
Suggested reading

Swagger Grouping With Controller Name Fallback Using Swashbuckle.AspNetCore

asp.net core
We’ve been using Swagger via Swashbuckle for some time with our ASP.NET Full ...
Read now

ASP.NET Core 3.1: Newtonsoft.Json Issues With Enumerable.Empty Assignment

asp.net core
We’ve spotted some strange behavior before with ASP.NET Core and JSON seriali...
Read now

ASP.NET Core 3.1: Default System.Text.Json Settings Don't Roundtrip (Serialize/Deserialize) Through Test Server

asp.net core
We’ve spotted some strange behavior before with ASP.NET Core and JSON seriali...
Read now

Fixing ASP.NET Core's UseStatusCodePages Middleware

asp.net core
Here at RIMdev, we are unapologetic about our love for static websites. Folks...
Read now

Strongly Typed Feature Flags With ASP.NET Core 2.2

asp.net core
Feature flags can be useful for changing the runtime behavior of an applicati...
Read now

Multi Instance ASP.NET Core 2.2 Data Protection Using Redis and an Azure Key Vault Certificate

asp.net core
We’re in the process of upgrading our infrastructure to run our Azure Web App...
Read now

Comments

Stay fresh! The brighter green, the fresher the article!