英文:
Where are the authorize attributes coming from on the identity pages?
问题
A scaffolded ASP.NET Core Identity UI comes without authorization attributes. For example, LogOut.cshtml and LogOut.cshtml.cs have no authorization attribute. Yet, an unauthenticated user is redirected to the login page if visiting it, and indeed investigating the endpoint data for Identity/Account/LogOut indicates the presence of an AuthorizeAttribute (I used this neat way of displaying the endpoint data).
This is weird for a number of reasons. First, the LogOut.chtml contains logic for the unauthenticated case. On the sources, the original model in LogOut.chtml.cs even has an AllowAnonymous attribute.
Besides this particular weirdness with LogOut, I'm more generally trying to understand what determines those attributes/configurations here if it's not the scaffolded pages I have in my code - and none of them came with any authorization attributes.
I have everything straight from the wizard, there's also nothing done to the AppBuilder except MapRazorPages that should do something identity-specific.
英文:
A scaffolded ASP.NET Core Identity UI comes without authorization attributes. For example, LogOut.cshtml and LogOut.cshtml.cs have no authorization attribute. Yet, an unauthenticated user is redirected to the login page if visiting it, and indeed investigating the endpoint data for Identity/Account/LogOut indicates the presence of an AuthorizeAttribute (I used this neat way of displaying the endpoint data).
This is weird for a number of reasons. First, the LogOut.chtml contains logic for the unauthenticated case. On the sources, the original model in LogOut.chtml.cs even has an AllowAnonymous attribute.
Besides this particular weirdness with LogOut, I'm more genreally trying to understand what determines those attributes/configurations here if it's not the scaffolded pages I have in my code - and none of them came with any authorization attributes.
I have everything straight from the wizard, there's also nothing done to the AppBuilder except MapRazorPages that should do something identity-specific.
答案1
得分: 1
Identity.UI默认为“Logout”和“Manage”配置了全局的Authorize属性,但未为其他页面进行配置。因此,您需要为直接访问注销页面而不登录的情况添加AllowAnonymous属性。
您可以在IdentityDefaultUIConfigureOptions的源代码中看到这一点。当您添加Identity时使用的AddDefaultIdentity包含DefaultUI,因此它将默认添加到特定页面的约束。
另外,如果您不想使用AllowAnonymous属性,您还可以在Program.cs中使用全局配置:
builder.Services.AddRazorPages(option =>
{
option.Conventions.AllowAnonymousToAreaPage("Identity", "/Account/Logout");
});
参考链接:ASP.NET Core中的Razor页面授权约定。
希望这可以帮助您。
英文:
Identity.UI configures the global Authorize property for Logout and Manage by default, but not configured for other pages. So you need to add the AllowAnonymous attribute to directly access the Logout Page without logging in.
You can see this in the source code of IdentityDefaultUIConfigureOptions. The AddDefaultIdentity you used when adding Identity contains DefaultUI, so it will add constraints to specific pages by default.
Also, if you don't want to use the AllowAnonymous attribute, you can also use the global configuration in Program.cs:
builder.Services.AddRazorPages(option =>
{
option.Conventions.AllowAnonymousToAreaPage("Identity", "/Account/Logout");
});
Reference link: Razor Pages authorization conventions in ASP.NET Core.
Hope this can help you.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论