diff --git a/src/Microsoft.AspNet.Mvc.Core/Filters/AuthorizeAttribute.cs b/src/Microsoft.AspNet.Mvc.Core/Filters/AuthorizeAttribute.cs index 3d15fad9a8..8211a6ad0e 100644 --- a/src/Microsoft.AspNet.Mvc.Core/Filters/AuthorizeAttribute.cs +++ b/src/Microsoft.AspNet.Mvc.Core/Filters/AuthorizeAttribute.cs @@ -50,7 +50,7 @@ namespace Microsoft.AspNet.Mvc user.Identity == null || !user.Identity.IsAuthenticated; - if(userIsAnonymous) + if(userIsAnonymous && !HasAllowAnonymous(context)) { base.Fail(context); } diff --git a/test/Microsoft.AspNet.Mvc.Core.Test/Filters/AuthorizeAttributeTests.cs b/test/Microsoft.AspNet.Mvc.Core.Test/Filters/AuthorizeAttributeTests.cs index e73f89a117..ded64b399b 100644 --- a/test/Microsoft.AspNet.Mvc.Core.Test/Filters/AuthorizeAttributeTests.cs +++ b/test/Microsoft.AspNet.Mvc.Core.Test/Filters/AuthorizeAttributeTests.cs @@ -45,6 +45,26 @@ namespace Microsoft.AspNet.Mvc.Core.Test Assert.NotNull(authorizationContext.Result); } + [Fact] + public async Task Invoke_EmptyClaimsWithAllowAnonymousAttributeShouldNotRejectAnonymousUser() + { + // Arrange + var authorizationService = new DefaultAuthorizationService(Enumerable.Empty()); + var authorizeAttribute = new AuthorizeAttribute(); + var authorizationContext = GetAuthorizationContext(services => + services.AddInstance(authorizationService), + anonymous: true + ); + + authorizationContext.Filters.Add(new AllowAnonymousAttribute()); + + // Act + await authorizeAttribute.OnAuthorizationAsync(authorizationContext); + + // Assert + Assert.Null(authorizationContext.Result); + } + [Fact] public async Task Invoke_EmptyClaimsShouldAuthorizeAuthenticatedUser() {