Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[gRPC] AllowAnonymous on a service method is ignored #840

Open
jirikanda opened this issue Jun 25, 2024 · 2 comments
Open

[gRPC] AllowAnonymous on a service method is ignored #840

jirikanda opened this issue Jun 25, 2024 · 2 comments
Labels
breaking-change TBD to be discussed, to be decided, to be defined :-)

Comments

@jirikanda
Copy link
Contributor

AllowAnonymousAttribute on a single method is ignored:

[Authorize(Policy = PolicyNames.EShopCustomerPolicy)]
public class OfferFacade
{
        ...
	[AllowAnonymous]
	public async Task<OfferHeaderDto> GetOfferHeaderAsync(Dto<string> offerRefer, CancellationToken cancellationToken = default)
	{
        	...
        }
}
@jirikanda jirikanda changed the title [gGRPC] AllowAnonymous on a service method is ignored [gRPC] AllowAnonymous on a service method is ignored Jun 25, 2024
@hakenr
Copy link
Member

hakenr commented Jun 25, 2024
edited
Loading

Probably due to the [ApiContract] attribute on IOfferFacade, where the default RequireAuthorization property default is true.

Currently, with the way we register the gRPC services in startup code, we do not expect to have both authorized and anonymous methods on single facade. You can still remove the RequireAuthorization() call from the gRPC registration in MapGrpcServicesByApiContractAttributes() (configureEndpointWithAuthorization action) which will remove the default "fallback authorization = require the user to be at least authenticated" and rely solely on the [Authorize] attributes on the facade itself.

https://github.com/havit/NewProjectTemplate-Blazor/blob/808f7a31bf1c7676c4802fc661f45358210b3a38/Web.Server/Startup.cs#L145-L148

The original purpose of the RequireAuthorization property on [ApiContract] attribute was to allow a simple decision on client-side whether to require a JWT token to be added to the server calls:
https://github.com/havit/NewProjectTemplate-Blazor/blob/58e7c29c827f079975629af75a8529db6cd8d7ea/Web.Client/Program.cs#L100-L104

...with the new BWA and cookie-based auth, we can drop the JWT token support (can we?) and remove the [ApiContact(RequireAuthorization = ...)] property. Breaking change.

@hakenr hakenr added TBD to be discussed, to be decided, to be defined :-) breaking-change labels Jun 25, 2024
@jirikanda
Copy link
Contributor Author

jirikanda commented Jun 25, 2024
edited
Loading

we do not expect to have both authorized and anonymous methods on single facade

OK, so the only possible way is to make IOfferFacade and IOfferFacadeWithAnonymousAccess?
(I am not sure now if it be implemented with just one class.)

...with the new BWA and cookie-based auth, we can drop the JWT token support (can we?) and remove the

We can. For the BWA (we have removed the nuget package from the application with this support).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
breaking-change TBD to be discussed, to be decided, to be defined :-)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jirikanda @hakenr