This article describes how to disable authentication for ASP.NET Core 2.0.
ASP.NET Core JWT Authentication
I have some Rest API which I want to protect via JwtBearer token in production e.g.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
public void ConfigureServices(IServiceCollection services) { ... services.AddAuthentication(options => { options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }).AddJwtBearer(o => { o.Authority = authority; o.Audience = audience; o.RequireHttpsMetadata = false; }); services.AddMvc(); ... } public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) { ... app.UseAuthentication(); app.UseMvc(); ... } |
However in order to test the API, for development I totally want to disable authentication without having to remove all Authorizes in the Controllers.
First Attempt
If you however try something like this:
|
1 2 3 4 5 |
if (!env.IsDevelopment()) { ... services.AddAuthentication(options => ... } |
you will run into the following error:
An unhandled exception occurred while processing the request.
InvalidOperationException: No authenticationScheme was specified, and there was no DefaultChallengeScheme found.
Solution
It took the quite some time to figure out a valid solution. And it is very simpe as well…
What I ended up doing is this:
|
1 2 3 4 5 6 7 8 |
if (env.IsDevelopment()) { services.AddMvc(opts => { opts.Filters.Add(new AllowAnonymousFilter()); }); } else { services.AddMvc(); } |
Now everyone can access the API in development. Hope this helps someone solve this problem.
If you have any questions or further information, please leave a comment below.
Thank you very much!
excellent thanks for the tip
Excellent, works like a charm… Thank you
what will happen if you have policy in the attribute?
[Authorize(Policy = „ServiceAuthorizationPolicy“)]
I explored a lot of complicated options before finding this – thanks very much!
I cannot seem to find which package/namespace has this AllowAnonymousFilter filter?
namespace Microsoft.AspNetCore.Mvc.Authorization
Thank you man, I was looking for any solution for this, it was very simple with your explanation but another think to add is that if you are putting the code into the ConfigureServices method you have to declare an use the IHostingEnvironment variable in the Startup constructor.
This technique is indeed simple and elegant. Worked great for me! As Martin N. pointed out, you will not have access to the IHostingEnvironment object in ConfigureServices, so don’t forget to add it as a constructor param for DI.
but… where comes this ‚env‘ from?
It is IHostingEnvironment env injected into the Configure method by the dependency injection.
Doesn’t seem to work in .Net Core 3.1
Yeah, not working for me when i have a policy on the method, e.g.
[Authorize(Policy = „ManageIceCreamPolicy“)]
I get a 404
Worked great, thanks for this info!
Top level answer from link worked for me in core 3.1
https://stackoverflow.com/questions/41112564/asp-net-disable-authentication-in-development-environment