This article describes how to disable authentication for ASP.NET Core 2.0.
ASP.NET Core JWT Authentication
I have some Rest API which I want to protect via JwtBearer token in production e.g.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
public void ConfigureServices(IServiceCollection services) { ... services.AddAuthentication(options => { options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }).AddJwtBearer(o => { o.Authority = authority; o.Audience = audience; o.RequireHttpsMetadata = false; }); services.AddMvc(); ... } public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) { ... app.UseAuthentication(); app.UseMvc(); ... } |
However in order to test the API, for development I totally want to disable authentication without having to remove all Authorizes in the Controllers.
First Attempt
If you however try something like this:
1 2 3 4 5 |
if (!env.IsDevelopment()) { ... services.AddAuthentication(options => ... } |
you will run into the following error:
An unhandled exception occurred while processing the request.
InvalidOperationException: No authenticationScheme was specified, and there was no DefaultChallengeScheme found.
Solution
It took the quite some time to figure out a valid solution. And it is very simpe as well…
What I ended up doing is this:
1 2 3 4 5 6 7 8 |
if (env.IsDevelopment()) { services.AddMvc(opts => { opts.Filters.Add(new AllowAnonymousFilter()); }); } else { services.AddMvc(); } |
Now everyone can access the API in development. Hope this helps someone solve this problem.
If you have any questions or further information, please leave a comment below.
Thank you very much!
excellent thanks for the tip
Excellent, works like a charm… Thank you
what will happen if you have policy in the attribute?
[Authorize(Policy = „ServiceAuthorizationPolicy“)]
I explored a lot of complicated options before finding this – thanks very much!
I cannot seem to find which package/namespace has this AllowAnonymousFilter filter?
namespace Microsoft.AspNetCore.Mvc.Authorization
Thank you man, I was looking for any solution for this, it was very simple with your explanation but another think to add is that if you are putting the code into the ConfigureServices method you have to declare an use the IHostingEnvironment variable in the Startup constructor.
This technique is indeed simple and elegant. Worked great for me! As Martin N. pointed out, you will not have access to the IHostingEnvironment object in ConfigureServices, so don’t forget to add it as a constructor param for DI.
but… where comes this ‚env‘ from?
It is IHostingEnvironment env injected into the Configure method by the dependency injection.
Doesn’t seem to work in .Net Core 3.1
Yeah, not working for me when i have a policy on the method, e.g.
[Authorize(Policy = „ManageIceCreamPolicy“)]
I get a 404
Worked great, thanks for this info!
Top level answer from link worked for me in core 3.1
https://stackoverflow.com/questions/41112564/asp-net-disable-authentication-in-development-environment
Hello, Absolutely great article here.
thanks for your easy-to-understand example.
I, like several others by the looks of things, was confused about where „env“ came from, given that the code snippets appeared to be from the Startup.ConfigureServices method which doesn’t have an env parameter.
Martin Navarrete put me on the right track, you need to add an IHostingEnvironment parameter to the Startup class constructor, then pass that value to a property you can access in the ConfigureServices method.
Similar to:
public class Startup
{
public IConfiguration Configuration { get; }
public IHostingEnvironment Environment { get; }
public Startup(IConfiguration configuration, IHostingEnvironment environment)
{
Configuration = configuration;
Environment = environment;
}
public IServiceProvider ConfigureServices(IServiceCollection services)
{
…
services.AddMvc(options =>
{
if (Environment.IsDevelopment())
{
options.Filters.Add(new AllowAnonymousFilter());
}
// Set other options here. For example:
options.ModelBinderProviders.Insert(0, new UTCDateTimeModelBinderProvider());
…
});
…
}
}
Whoops, tab indents were stripped, making my code sample a little hard to read. Trying again with spaces instead of tabs:
Pingback: ASP.NET Core disable authentication in development environment - Code Utility - Code Utility