Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Swashbuckle ignores the "AllowAnonymous" attribute of controller operations

See original GitHub issue

If i have controller operations with the “AllowAnonymous” attribute (see example below):

[AllowAnonymous]
[HttpGet]
public Response ExampleFunction(string exampleInput)
{
   ...
  return retVal
}

The operation does still have the auth in the generated Swagger documentation (lock is shown & the auth header will be sent with every request).

I expect, that Swashbuckle does respect this attribute and removes the auth of the endpoint / operation.

Version of Swashbuckle.AspNetCore: 5.1.0 Version of .NET Core: 3.1.102

Issue Analytics

State:
Created 3 years ago
Reactions:3
Comments:7 (2 by maintainers)

Top GitHub Comments

9reactions

tiwaltercommented, Mar 25, 2020

Thanks, you’re right!

This implementation works for me:

public class BasicAuthOperationsFilter : IOperationFilter
{
    public void Apply(OpenApiOperation operation, OperationFilterContext context)
    {
        var noAuthRequired = context.ApiDescription.CustomAttributes().Any(attr => attr.GetType() == typeof(AllowAnonymousAttribute));

        if (noAuthRequired) return;

        operation.Security = new List<OpenApiSecurityRequirement>
        {
            new OpenApiSecurityRequirement
            {
                {
                    new OpenApiSecurityScheme
                    {
                        Reference = new OpenApiReference
                        {
                            Type = ReferenceType.SecurityScheme,
                            Id = "basic"
                        }
                    },
                    new List<string>()
                }
            }
        };
    }
}

The only thing you have to do is to filter operations with the “AllowAnonymous” attribute. The operation.Security property will be adjusted for them.

2reactions

domaindrivendevcommented, Mar 25, 2020

Yes. When you use the AddSecurityRequirement method you’re adding a “global” requirement (i.e. applicable to all operations). If you want to add security requirements at the operation level, then you’ll need to create a custom Operation Filter that inspects your action metadata for the presence of authorization attributes and then sets the corresponding Operation.Security property accordingly.

The readme has an example that does this for an OAuth security scheme. If you read through that section carefully then you should be able to adjust the example for the “basic” schema in your case. If anything, it should be much simpler than the OAuth one.

Top Results From Across the Web

Swagger Authorization per Endpoint in ASP.NET Core

The above code adds [Authorize] attribute to all endpoints. And we still can declare anonymous ones my decorating it with [ AllowAnonymous ] ......

How to check of an action allowes anonymous access or if ...

I need to implement the IOperationFilter to add required parameters to any route that does not allow Anonymous access. With the Swagger ......

Swashbuckle.AspNetCore

Swagger tooling for APIs built with ASP.NET Core. Generate beautiful API documentation, including a UI to explore and test operations, directly from your ......

Simple authorization in ASP.NET Core

Any authorization requirements from [Authorize] attributes on the same controller or action methods on the controller are ignored.

ASP.NET Core 2.2 - Basic Authentication Tutorial with ...

Hi Jeb, I just tested the example in debug mode and see what you mean, the [AllowAnonymous] attribute allows unauthenticated requests through as ......