Removing AuthorizationFilterAttribute as we do not want users to easily create their own authorization implementation. They should instead

use authorization policies and requirements(IAuthorizationRequirement) to enforce authorization.
[Fixes #4233] AuthorizationFilterAttribute returns UnauthorizedResult rather than ChallengeResult

src/Microsoft.AspNetCore.Mvc.Core/Filters/AuthorizationFilterAttribute.cs

@@ -1,53 +0,0 @@
-// Copyright (c) .NET Foundation. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Linq;
-using System.Threading.Tasks;
-using Microsoft.AspNetCore.Mvc.Authorization;
-using Microsoft.AspNetCore.Mvc.Internal;
-
-namespace Microsoft.AspNetCore.Mvc.Filters
-{
-    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true, Inherited = true)]
-    public abstract class AuthorizationFilterAttribute :
-        Attribute, IAsyncAuthorizationFilter, IAuthorizationFilter, IOrderedFilter
-    {
-        public int Order { get; set; }
-
-        public virtual Task OnAuthorizationAsync(AuthorizationFilterContext context)
-        {
-            if (context == null)
-            {
-                throw new ArgumentNullException(nameof(context));
-            }
-
-            OnAuthorization(context);
-            return TaskCache.CompletedTask;
-        }
-
-        public virtual void OnAuthorization(AuthorizationFilterContext context)
-        {
-        }
-
-        protected virtual bool HasAllowAnonymous(AuthorizationFilterContext context)
-        {
-            if (context == null)
-            {
-                throw new ArgumentNullException(nameof(context));
-            }
-
-            return context.Filters.Any(item => item is IAllowAnonymousFilter);
-        }
-
-        protected virtual void Fail(AuthorizationFilterContext context)
-        {
-            if (context == null)
-            {
-                throw new ArgumentNullException(nameof(context));
-            }
-
-            context.Result = new UnauthorizedResult();
-        }
-    }
-}

test/WebSites/FiltersWebSite/Filters/AuthorizeUserAttribute.cs

@@ -1,6 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using System;
 using System.Reflection;
 using System.Security.Claims;
 using Microsoft.AspNetCore.Http;
@@ -9,9 +10,9 @@ using Microsoft.AspNetCore.Mvc.Filters;
 
 namespace FiltersWebSite
 {
-    public class AuthorizeUserAttribute : AuthorizationFilterAttribute
+    public class AuthorizeUserAttribute : Attribute, IAuthorizationFilter
     {
-        public override void OnAuthorization(AuthorizationFilterContext context)
+        public virtual void OnAuthorization(AuthorizationFilterContext context)
         {
             var controllerActionDescriptor = (ControllerActionDescriptor)context.ActionDescriptor;
             if (controllerActionDescriptor.MethodInfo ==

test/WebSites/FiltersWebSite/Filters/BlockAnonymous.cs

@@ -1,13 +1,17 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using System;
+using System.Linq;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Authorization;
 using Microsoft.AspNetCore.Mvc.Filters;
 
 namespace FiltersWebSite
 {
-    public class BlockAnonymous : AuthorizationFilterAttribute
+    public class BlockAnonymous : Attribute, IAuthorizationFilter
     {
-        public override void OnAuthorization(AuthorizationFilterContext context)
+        public void OnAuthorization(AuthorizationFilterContext context)
         {
             if (!HasAllowAnonymous(context))
             {
@@ -19,9 +23,20 @@ namespace FiltersWebSite
 
                 if (userIsAnonymous)
                 {
-                    base.Fail(context);
+                    context.Result = new UnauthorizedResult();
                 }
             }
         }
+
+        private bool HasAllowAnonymous(AuthorizationFilterContext context)
+        {
+            if (context == null)
+            {
+                throw new ArgumentNullException(nameof(context));
+            }
+
+            return context.Filters.Any(item => item is IAllowAnonymousFilter);
+        }
+
     }
 }

test/WebSites/FiltersWebSite/Filters/GlobalAuthorizationFilter.cs

@@ -1,6 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using System;
 using System.Reflection;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc.Controllers;
@@ -8,9 +9,9 @@ using Microsoft.AspNetCore.Mvc.Filters;
 
 namespace FiltersWebSite
 {
-    public class GlobalAuthorizationFilter : AuthorizationFilterAttribute
+    public class GlobalAuthorizationFilter : Attribute, IAuthorizationFilter
     {
-        public override void OnAuthorization(AuthorizationFilterContext context)
+        public void OnAuthorization(AuthorizationFilterContext context)
         {
             var controllerActionDescriptor = (ControllerActionDescriptor)context.ActionDescriptor;
             if (controllerActionDescriptor.MethodInfo ==

test/WebSites/FiltersWebSite/Filters/ThrowingAuthorizationFilter.cs

@@ -6,9 +6,9 @@ using Microsoft.AspNetCore.Mvc.Filters;
 
 namespace FiltersWebSite
 {
-    public class ThrowingAuthorizationFilter : AuthorizationFilterAttribute
+    public class ThrowingAuthorizationFilter : Attribute, IAuthorizationFilter
     {
-        public override void OnAuthorization(AuthorizationFilterContext context)
+        public void OnAuthorization(AuthorizationFilterContext context)
         {
             throw new InvalidProgramException("Authorization Filter Threw");
         }