- IgnoreAuthenticationIfAllowAnonymous option added

- Samples updated
- Readme updated

Author: mihirdilip

README.md

@@ -54,11 +54,11 @@ public class Startup
 		services.AddControllers();
 
 		//// By default, authentication is not challenged for every request which is ASP.NET Core's default intended behaviour.
-		//// So to challenge authentication for every requests please use below option instead of above services.AddControllers().
-		//services.AddControllers(options => 
-		//{
-		//	options.Filters.Add(new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build()));
-		//});
+		//// So to challenge authentication for every requests please use below FallbackPolicy option.
+        //services.AddAuthorization(options =>
+        //{
+        //    options.FallbackPolicy = new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build();
+        //});
 	}
 
 	public void Configure(IApplicationBuilder app, IHostingEnvironment env)
@@ -178,16 +178,20 @@ Required to be set. It is the name of the header if it is setup as in-header or
 #### Realm
 Required to be set if SuppressWWWAuthenticateHeader is not set to true. It is used with WWW-Authenticate response header when challenging un-authenticated requests.  
 
-#### ForLegacyIgnoreExtraValidatedApiKeyCheck
-Default value is false. 
-If set to true, IApiKey.Key property returned from IApiKeyProvider.ProvideAsync(string) method is not compared with the key parsed from the request.
-This extra check did not existed in the previous version. So you if want to revert back to old version validation, please set this to true.
-   
 #### SuppressWWWAuthenticateHeader
 Default value is false.  
 When set to true, it will NOT return WWW-Authenticate response header when challenging un-authenticated requests.  
 When set to false, it will return WWW-Authenticate response header when challenging un-authenticated requests.
 
+#### IgnoreAuthenticationIfAllowAnonymous
+Default value is false.  
+If set to true, it checks if AllowAnonymous filter on controller action or metadata on the endpoint which, if found, it does not try to authenticate the request.
+
+#### ForLegacyIgnoreExtraValidatedApiKeyCheck
+Default value is false. 
+If set to true, IApiKey.Key property returned from IApiKeyProvider.ProvideAsync(string) method is not compared with the key parsed from the request.
+This extra check did not existed in the previous version. So you if want to revert back to old version validation, please set this to true.
+
 #### Events
 The object provided by the application to process events raised by the api key authentication middleware.  
 The application may implement the interface fully, or it may create an instance of ApiKeyEvents and assign delegates only to the events it wants to process.
@@ -222,9 +226,9 @@ Please note that, by default, with ASP.NET Core, all the requests are not challe
 However, if you want all the requests to challenge authentication by default, depending on what you are using, you can add the below options line to *ConfigureServices* method on *Startup* class.
 
 ```C#
-services.AddControllers(options => 
-{ 
-    options.Filters.Add(new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build()));
+services.AddAuthorization(options =>
+{
+    options.FallbackPolicy = new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build();
 });
 
 // OR

samples/SampleWebApi_2_0/SampleWebApi_2_0.csproj

@@ -12,7 +12,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="AspNetCore.Authentication.ApiKey" Version="3.1.1" />
+    <PackageReference Include="AspNetCore.Authentication.ApiKey" Version="5.0.0" />
     <PackageReference Include="Microsoft.AspNetCore.All" Version="2.0.9" />
   </ItemGroup>
 

samples/SampleWebApi_2_2/SampleWebApi_2_2.csproj

@@ -6,7 +6,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="AspNetCore.Authentication.ApiKey" Version="3.1.1" />
+    <PackageReference Include="AspNetCore.Authentication.ApiKey" Version="5.0.0" />
     <PackageReference Include="Microsoft.AspNetCore.App" />
     <PackageReference Include="Microsoft.AspNetCore.Razor.Design" Version="2.2.0" PrivateAssets="All" />
   </ItemGroup>

samples/SampleWebApi_3_1/SampleWebApi_3_1.csproj

@@ -7,7 +7,7 @@
   <Import Project="..\SampleWebApi.Shared\SampleWebApi.Shared.projitems" Label="Shared" />
 
   <ItemGroup>
-    <PackageReference Include="AspNetCore.Authentication.ApiKey" Version="3.1.1" />
+    <PackageReference Include="AspNetCore.Authentication.ApiKey" Version="5.0.0" />
   </ItemGroup>
 
   <!--<ItemGroup>

samples/SampleWebApi_3_1/Startup.cs

@@ -50,6 +50,12 @@ public void ConfigureServices(IServiceCollection services)
                     //// Optional option to suppress the browser login dialog for ajax calls.
                     //options.SuppressWWWAuthenticateHeader = true;
 
+                    //// Optional option to ignore extra check of ApiKey string after it is validated.
+                    //options.ForLegacyIgnoreExtraValidatedApiKeyCheck = true;
+
+                    //// Optional option to ignore authentication if AllowAnonumous metadata/filter attribute is added to an endpoint.
+                    //options.IgnoreAuthenticationIfAllowAnonymous = true;
+
                     //// Optional events to override the ApiKey original logic with custom logic.
                     //// Only use this if you know what you are doing at your own risk. Any of the events can be assigned. 
                     options.Events = new ApiKeyEvents
@@ -154,10 +160,16 @@ public void ConfigureServices(IServiceCollection services)
                 // ALWAYS USE HTTPS (SSL) protocol in production when using ApiKey authentication.
                 //options.Filters.Add<RequireHttpsAttribute>();
 
-                // All the requests will need to be authorized. 
-                // Alternatively, add [Authorize] attribute to Controller or Action Method where necessary.
-                options.Filters.Add(new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build()));
             }); //.AddXmlSerializerFormatters()   // To enable XML along with JSON;
+
+            // All the requests will need to be authorized. 
+            // Alternatively, add [Authorize] attribute to Controller or Action Method where necessary.
+            services.AddAuthorization(options =>
+            {
+                options.FallbackPolicy = new AuthorizationPolicyBuilder()
+                    .RequireAuthenticatedUser()
+                    .Build();
+            });
         }
 
         // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.

samples/SampleWebApi_5_0/SampleWebApi_5_0.csproj

@@ -6,12 +6,12 @@
 
   <Import Project="..\SampleWebApi.Shared\SampleWebApi.Shared.projitems" Label="Shared" />
 
-  <!--<ItemGroup>
-    <PackageReference Include="AspNetCore.Authentication.ApiKey" Version="3.1.1" />
-  </ItemGroup>-->
-
   <ItemGroup>
-    <ProjectReference Include="..\..\src\AspNetCore.Authentication.ApiKey\AspNetCore.Authentication.ApiKey.csproj" />
+    <PackageReference Include="AspNetCore.Authentication.ApiKey" Version="5.0.0" />
   </ItemGroup>
 
+  <!--<ItemGroup>
+    <ProjectReference Include="..\..\src\AspNetCore.Authentication.ApiKey\AspNetCore.Authentication.ApiKey.csproj" />
+  </ItemGroup>-->
+
 </Project>

samples/SampleWebApi_5_0/Startup.cs

@@ -1,3 +1,4 @@
+
 using AspNetCore.Authentication.ApiKey;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Builder;
@@ -50,6 +51,12 @@ public void ConfigureServices(IServiceCollection services)
                     //// Optional option to suppress the browser login dialog for ajax calls.
                     //options.SuppressWWWAuthenticateHeader = true;
 
+                    //// Optional option to ignore extra check of ApiKey string after it is validated.
+                    //options.ForLegacyIgnoreExtraValidatedApiKeyCheck = true;
+
+                    //// Optional option to ignore authentication if AllowAnonumous metadata/filter attribute is added to an endpoint.
+                    //options.IgnoreAuthenticationIfAllowAnonymous = true;
+
                     //// Optional events to override the ApiKey original logic with custom logic.
                     //// Only use this if you know what you are doing at your own risk. Any of the events can be assigned. 
                     options.Events = new ApiKeyEvents
@@ -154,10 +161,16 @@ public void ConfigureServices(IServiceCollection services)
                 // ALWAYS USE HTTPS (SSL) protocol in production when using ApiKey authentication.
                 //options.Filters.Add<RequireHttpsAttribute>();
 
-                // All the requests will need to be authorized. 
-                // Alternatively, add [Authorize] attribute to Controller or Action Method where necessary.
-                options.Filters.Add(new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build()));
             }); //.AddXmlSerializerFormatters()   // To enable XML along with JSON;
+
+            // All the requests will need to be authorized. 
+            // Alternatively, add [Authorize] attribute to Controller or Action Method where necessary.
+            services.AddAuthorization(options =>
+            {
+                options.FallbackPolicy = new AuthorizationPolicyBuilder()
+                    .RequireAuthenticatedUser()
+                    .Build();
+            });
         }
 
         // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.

src/AspNetCore.Authentication.ApiKey/ApiKeyHandlerBase.cs

@@ -2,6 +2,7 @@
 // Licensed under the MIT License. See LICENSE file in the project root for license information.
 
 using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
@@ -39,6 +40,12 @@ protected ApiKeyHandlerBase(IOptionsMonitor<ApiKeyOptions> options, ILoggerFacto
 
 		protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
 		{
+			if (IgnoreAuthenticationIfAllowAnonymous())
+            {
+				Logger.LogInformation("AllowAnonymous found on the endpoint so request was not authenticated.");
+				return AuthenticateResult.NoResult();
+			}
+
 			var apiKey = string.Empty;
 			try
 			{
@@ -201,5 +208,15 @@ private async Task<IApiKey> ValidateUsingApiKeyProviderAsync(string apiKey)
                 }
             }
 		}
+
+		private bool IgnoreAuthenticationIfAllowAnonymous()
+		{
+#if (NET461 || NETSTANDARD2_0)
+			return false;
+#else
+			return Options.IgnoreAuthenticationIfAllowAnonymous
+				&& Context.GetEndpoint()?.Metadata?.GetMetadata<Microsoft.AspNetCore.Authorization.IAllowAnonymous>() != null;
+#endif
+		}
 	}
 }

src/AspNetCore.Authentication.ApiKey/ApiKeyOptions.cs

@@ -50,6 +50,14 @@ public class ApiKeyOptions : AuthenticationSchemeOptions
         /// </summary>
         public bool ForLegacyIgnoreExtraValidatedApiKeyCheck { get; set; }
 
+#if !(NET461 || NETSTANDARD2_0)
+        /// <summary>
+        /// Default value is false.
+        /// If set to true, it checks if AllowAnonymous filter on controller action or metadata on the endpoint which, if found, it does not try to authenticate the request.
+        /// </summary>
+        public bool IgnoreAuthenticationIfAllowAnonymous { get; set; }
+#endif
+
         internal Type ApiKeyProviderType { get; set; } = null;
     }
 }

src/AspNetCore.Authentication.ApiKey/AspNetCore.Authentication.ApiKey.csproj

@@ -5,12 +5,11 @@
     <Version>5.0.0</Version>
     <RepositoryUrl>https://github.com/mihirdilip/aspnetcore-authentication-apiKey/tree/$(Version)</RepositoryUrl>
     <PackageProjectUrl>https://github.com/mihirdilip/aspnetcore-authentication-apiKey/tree/$(Version)</PackageProjectUrl>
-    <PackageTags>aspnetcore, security, authentication, microsoft, microsoft.aspnetcore.authentication, microsoft-aspnetcore-authentication, microsoft.aspnetcore.authentication.apikey, microsoft-aspnetcore-authentication-apikey, asp-net-core, netstandard, netstandard20, apikey-authentication, api-key-authentication, apikeyauthentication, dotnetcore, dotnetcore3.1, asp-net-core-apikey-authentication, aspnetcore-apikey-authentication, asp-net-core-authentication, aspnetcore-authentication, asp, aspnet, apikey, api-key, authentication-scheme</PackageTags>
-    <PackageReleaseNotes>- Ability to have ApiKey in Authorization header added
-- Fixed extensions methods to use correct handler
-- Fixed issue with resolving of IApiKeyProvider implementation when using multiple schemes
+    <PackageTags>aspnetcore, security, authentication, microsoft, microsoft.aspnetcore.authentication, microsoft-aspnetcore-authentication, microsoft.aspnetcore.authentication.apikey, microsoft-aspnetcore-authentication-apikey, asp-net-core, netstandard, netstandard20, apikey-authentication, api-key-authentication, apikeyauthentication, dotnetcore, dotnetcore3.1, net5, asp-net-core-apikey-authentication, aspnetcore-apikey-authentication, net5-apikey-authentication, asp-net-core-authentication, aspnetcore-authentication, net5-authentication, asp, aspnet, apikey, api-key, authentication-scheme</PackageTags>
+    <PackageReleaseNotes>- Net 5.0 target framework added
+- IgnoreAuthenticationIfAllowAnonymous added to the ApiKeyOptions from netcoreapp3.0 onwards
     </PackageReleaseNotes>
-    <Description>Easy to use and very light weight Microsoft style API Key Authentication Implementation for ASP.NET Core. It can be setup so that it can accept API Key either in Header, QueryParams or HeaderOrQueryParams.</Description>
+    <Description>Easy to use and very light weight Microsoft style API Key Authentication Implementation for ASP.NET Core. It can be setup so that it can accept API Key either in Header, Authorization Header, QueryParams or HeaderOrQueryParams.</Description>
     <Authors>Mihir Dilip</Authors>
     <Company>Mihir Dilip</Company>
     <Copyright>Copyright (c) 2020 Mihir Dilip</Copyright>