Identity default FallbackPolicy interferes with StatusCodePages 404 middleware

[lonix1]

Description

The linked page's code is incorrect, and its wording could be improved.

When one uses Identity and "secure by default" config - i.e. builder.Services.AddAuthorization(x => x.FallbackPolicy = x.DefaultPolicy); - then attempts to access a non-existent page will go to the login page instead of the error/404 page.

To force requests to go to the error/404 page instead, the linked page's code is given as a solution. But it doesn't work. Perhaps some changes were made in the last few aspnet versions?

This does work:

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Authorization.Policy;

public class SampleAuthorizationMiddlewareResultHandler : IAuthorizationMiddlewareResultHandler
{
    private readonly AuthorizationMiddlewareResultHandler _defaultHandler = new();

    public async Task HandleAsync(RequestDelegate next, HttpContext context, AuthorizationPolicy policy, PolicyAuthorizationResult authorizeResult)
    {
        if (!authorizeResult.Succeeded &&
            authorizeResult.Challenged &&
            context.GetEndpoint() == null)
        {
            // Return a 404 to make it appear as if the resource doesn't exist.
            context.Response.StatusCode = StatusCodes.Status404NotFound;
            return;
        }

        await _defaultHandler.HandleAsync(next, context, policy, authorizeResult);
    }
}

Also, the "secure by default" docs linked above should be updated to mention this gotcha, else the app doesn't behave as expected. In this scenario, that page is misleading as it states:

The fallback authorization policy requires all users to be authenticated, except for Razor Pages, controllers, or action methods with an authorization attribute. For example, Razor Pages, controllers, or action methods with [AllowAnonymous] or [Authorize(PolicyName="MyPolicy")] use the applied authorization attribute rather than the fallback authorization policy.

It should state that there is one case where the [AllowAnonymous] attribute is ignored, and that should link to the doc discussed above.

Similarly, the status code pages doc should include a warning box with the same note.

Page URL

https://learn.microsoft.com/en-us/aspnet/core/security/authorization/customizingauthorizationmiddlewareresponse?view=aspnetcore-8.0

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/security/authorization/customizingauthorizationmiddlewareresponse.md

Document ID

d0147dca-5a50-c83b-ae92-8a7c4ea4f69f

Article author

@Rick-Anderson

[lonix1]

Background info for this issue on StackOverflow.

[Rick-Anderson]

@lonix1 I think when using template generated Razor Pages code, unauthorized access redirects to the sign in page.

@Tratcher please assign a reviewer.

[Tratcher]

@adityamandaleeka and @mkArtakMSFT should be assigning reviewers now.