There is no description of how schemes in Authorize.AuthenticationSchemes and schemes defined in policies interact with each other.

[voroninp]

Description

It's not obvious what final set of authentication schemes is used when schemes are specified both in Authorize.AuthenticationSchemes and in policy definition.

One can expect that schemes in Authorize.AuthenticationSchemes override the ones defined in policy, but factually, the set of used schemes is built by combining two lists 1 and 2.

The docs are missing this important clarification. Wrong mental model of the framework's behavior can lead to security breaches. If I specify authentication scheme B, but default policy specifies scheme A I am giving access to both schemes, which may be not my intent.

Page URL

https://learn.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme?view=aspnetcore-9.0

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/security/authorization/limitingidentitybyscheme.md

Document ID

0096c365-2f4e-5d21-89a0-c4f10fcb0ed9

Platform Id

099e63e1-c27f-9f00-8885-c551419ae35a

Article author

@Rick-Anderson

Metadata

• ID: ee71441f-471a-89cd-0ef4-9b32b5dd85cf
• PlatformId: 099e63e1-c27f-9f00-8885-c551419ae35a
• Service: aspnet-core
• Sub-service: security

Related Issues