I have a .Net Core 3.0 Web API that is configured with as such:
services.AddAuthentication(x =>
{
x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(x =>
{
...
});
services.AddAuthorizationCore(options =>
{
options.FallbackPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
});
And I enable it in the controller like:
[Authorize(Roles = "Admin,Technician")]
public IActionResult CreateFoo([FromBody] Foo foo)
Some api endpoints are also disabled using the [AllowAnonymous]
.
This product is supporting multiple environments, and one endpoint needs to be either anonymous or authorized dependent on the runtime variable; currently using custom "ASPNETCORE_ENVIRONMENT" options.
I have seen this comment from .net security person, but if I implement a custom policy, it disallows anonymous access.
What is the easiest way to allow anonymous access if the application is running in a certain environment?