Asp.Net Core: order of execution of IAuthorizationFilter and Authentication Service

Question

I'm implementing both authentication and authorization mechanisms in Asp.Net Core Web Api application.

I use JWT for users authentication configured in:

ConfigureServices(IServiceCollection services)
{
...
services.AddAuthentication(...).AddJwtBearer(...)
...
}

(similar to https://stackoverflow.com/a/45901894/1544054)

this service also populate HttpContext.User according to the JWT data.

For authorization I use a custom RBAC implementation, based on

class AccessControlFilter :  IAuthorizationFilter
{
    public AccessControlFilter(string permission) {...}
    public void OnAuthorization (AuthorizationFilterContext context){...}
}

(similar to the great answer in https://stackoverflow.com/a/41348219)

I need to know for sure that my AccessControlFilter will run AFTER the JWT Authentication Service, so that the context.HttpContext.User is already populated.

(I guess that the order is correct and filters will run after services, but I could not find the right documentation.)

Answer 1

From the ASP.NET Core Security Overview (emphasis mine):

Authentication vs. Authorization

Authentication is a process in which a user provides credentials that are then compared to those stored in an operating system, database, app or resource. If they match, users authenticate successfully, and can then perform actions that they're authorized for, during an authorization process. The authorization refers to the process that determines what a user is allowed to do.

Another way to think of authentication is to consider it as a way to enter a space, such as a server, database, app or resource, while authorization is which actions the user can perform to which objects inside that space (server, database, or app).

So to answer your question : authentication always occurs before the authorization pipeline. This makes sense, because you need to know who the user is before knowing what he's authorized to do.