Annotate Authorization.Core, Authorization.Policy with nullable (#22990)

Contributes to https://github.com/dotnet/aspnetcore/issues/5680

eng/targets/CSharp.Common.targets

@@ -35,13 +35,14 @@
         The code block that follows sets it up so projects in this repo that target ns2.0 or netfx can compile when Nullable is configured.
         Based on https://github.com/dotnet/runtime/blob/93b6c449d4f31ddd7d573d1d3769e681d5ebceb9/src/libraries/Directory.Build.targets#L215-L222
      -->
-    <When Condition="'$(Nullable)' != '' AND ('$(TargetFramework)' == 'netstandard2.0' OR '$(TargetFrameworkIdentifier)' == '.NETFramework')">
+    <When Condition="'$(Nullable)' != '' AND ('$(TargetFrameworkIdentifier)' == '.NETStandard' OR '$(TargetFrameworkIdentifier)' == '.NETFramework')">
-        <PropertyGroup>
+      <PropertyGroup>
-          <DefineConstants>$(DefineConstants),INTERNAL_NULLABLE_ATTRIBUTES</DefineConstants>
+        <DefineConstants>$(DefineConstants),INTERNAL_NULLABLE_ATTRIBUTES</DefineConstants>
-        </PropertyGroup>
+        <NoWarn>$(NoWarn);nullable</NoWarn>
-        <ItemGroup>
+      </PropertyGroup>
-          <Compile Include="$(SharedSourceRoot)Nullable\NullableAttributes.cs" />
+      <ItemGroup>
-        </ItemGroup>
+        <Compile Include="$(SharedSourceRoot)Nullable\NullableAttributes.cs" />
+      </ItemGroup>
     </When>
   </Choose>
 

src/Security/Authorization/Core/ref/Microsoft.AspNetCore.Authorization.csproj

@@ -3,6 +3,7 @@
   <PropertyGroup>
     <TargetFrameworks>netstandard2.0;$(DefaultNetCoreTargetFramework)</TargetFrameworks>
     <TargetFrameworks Condition="'$(DotNetBuildFromSource)' == 'true'">$(DefaultNetCoreTargetFramework)</TargetFrameworks>
+    <Nullable>annotations</Nullable>
   </PropertyGroup>
   <ItemGroup Condition="'$(TargetFramework)' == 'netstandard2.0'">
     <Compile Include="Microsoft.AspNetCore.Authorization.netstandard2.0.cs" />

src/Security/Authorization/Core/ref/Microsoft.AspNetCore.Authorization.netcoreapp.cs

@@ -18,12 +18,12 @@ namespace Microsoft.AspNetCore.Authorization
     }
     public partial class AuthorizationHandlerContext
     {
-        public AuthorizationHandlerContext(System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> requirements, System.Security.Claims.ClaimsPrincipal user, object resource) { }
+        public AuthorizationHandlerContext(System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> requirements, System.Security.Claims.ClaimsPrincipal user, object? resource) { }
         public virtual bool HasFailed { get { throw null; } }
         public virtual bool HasSucceeded { get { throw null; } }
         public virtual System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> PendingRequirements { get { throw null; } }
         public virtual System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> Requirements { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
-        public virtual object Resource { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
+        public virtual object? Resource { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
         public virtual System.Security.Claims.ClaimsPrincipal User { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
         public virtual void Fail() { }
         public virtual void Succeed(Microsoft.AspNetCore.Authorization.IAuthorizationRequirement requirement) { }
@@ -46,11 +46,11 @@ namespace Microsoft.AspNetCore.Authorization
     {
         public AuthorizationOptions() { }
         public Microsoft.AspNetCore.Authorization.AuthorizationPolicy DefaultPolicy { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
-        public Microsoft.AspNetCore.Authorization.AuthorizationPolicy FallbackPolicy { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
+        public Microsoft.AspNetCore.Authorization.AuthorizationPolicy? FallbackPolicy { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
         public bool InvokeHandlersAfterFailure { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
         public void AddPolicy(string name, Microsoft.AspNetCore.Authorization.AuthorizationPolicy policy) { }
         public void AddPolicy(string name, System.Action<Microsoft.AspNetCore.Authorization.AuthorizationPolicyBuilder> configurePolicy) { }
-        public Microsoft.AspNetCore.Authorization.AuthorizationPolicy GetPolicy(string name) { throw null; }
+        public Microsoft.AspNetCore.Authorization.AuthorizationPolicy? GetPolicy(string name) { throw null; }
     }
     public partial class AuthorizationPolicy
     {
@@ -60,7 +60,7 @@ namespace Microsoft.AspNetCore.Authorization
         public static Microsoft.AspNetCore.Authorization.AuthorizationPolicy Combine(params Microsoft.AspNetCore.Authorization.AuthorizationPolicy[] policies) { throw null; }
         public static Microsoft.AspNetCore.Authorization.AuthorizationPolicy Combine(System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.AuthorizationPolicy> policies) { throw null; }
         [System.Diagnostics.DebuggerStepThroughAttribute]
-        public static System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy> CombineAsync(Microsoft.AspNetCore.Authorization.IAuthorizationPolicyProvider policyProvider, System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizeData> authorizeData) { throw null; }
+        public static System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy?> CombineAsync(Microsoft.AspNetCore.Authorization.IAuthorizationPolicyProvider policyProvider, System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizeData> authorizeData) { throw null; }
     }
     public partial class AuthorizationPolicyBuilder
     {
@@ -85,7 +85,7 @@ namespace Microsoft.AspNetCore.Authorization
     public partial class AuthorizationResult
     {
         internal AuthorizationResult() { }
-        public Microsoft.AspNetCore.Authorization.AuthorizationFailure Failure { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
+        public Microsoft.AspNetCore.Authorization.AuthorizationFailure? Failure { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
         public bool Succeeded { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
         public static Microsoft.AspNetCore.Authorization.AuthorizationResult Failed() { throw null; }
         public static Microsoft.AspNetCore.Authorization.AuthorizationResult Failed(Microsoft.AspNetCore.Authorization.AuthorizationFailure failure) { throw null; }
@@ -94,7 +94,7 @@ namespace Microsoft.AspNetCore.Authorization
     public static partial class AuthorizationServiceExtensions
     {
         public static System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(this Microsoft.AspNetCore.Authorization.IAuthorizationService service, System.Security.Claims.ClaimsPrincipal user, Microsoft.AspNetCore.Authorization.AuthorizationPolicy policy) { throw null; }
-        public static System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(this Microsoft.AspNetCore.Authorization.IAuthorizationService service, System.Security.Claims.ClaimsPrincipal user, object resource, Microsoft.AspNetCore.Authorization.AuthorizationPolicy policy) { throw null; }
+        public static System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(this Microsoft.AspNetCore.Authorization.IAuthorizationService service, System.Security.Claims.ClaimsPrincipal user, object? resource, Microsoft.AspNetCore.Authorization.AuthorizationPolicy policy) { throw null; }
         public static System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(this Microsoft.AspNetCore.Authorization.IAuthorizationService service, System.Security.Claims.ClaimsPrincipal user, object resource, Microsoft.AspNetCore.Authorization.IAuthorizationRequirement requirement) { throw null; }
         public static System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(this Microsoft.AspNetCore.Authorization.IAuthorizationService service, System.Security.Claims.ClaimsPrincipal user, string policyName) { throw null; }
     }
@@ -103,9 +103,9 @@ namespace Microsoft.AspNetCore.Authorization
     {
         public AuthorizeAttribute() { }
         public AuthorizeAttribute(string policy) { }
-        public string AuthenticationSchemes { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
+        public string? AuthenticationSchemes { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
-        public string Policy { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
+        public string? Policy { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
-        public string Roles { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
+        public string? Roles { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
     }
     public partial class DefaultAuthorizationEvaluator : Microsoft.AspNetCore.Authorization.IAuthorizationEvaluator
     {
@@ -115,7 +115,7 @@ namespace Microsoft.AspNetCore.Authorization
     public partial class DefaultAuthorizationHandlerContextFactory : Microsoft.AspNetCore.Authorization.IAuthorizationHandlerContextFactory
     {
         public DefaultAuthorizationHandlerContextFactory() { }
-        public virtual Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext CreateContext(System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> requirements, System.Security.Claims.ClaimsPrincipal user, object resource) { throw null; }
+        public virtual Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext CreateContext(System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> requirements, System.Security.Claims.ClaimsPrincipal user, object? resource) { throw null; }
     }
     public partial class DefaultAuthorizationHandlerProvider : Microsoft.AspNetCore.Authorization.IAuthorizationHandlerProvider
     {
@@ -126,16 +126,16 @@ namespace Microsoft.AspNetCore.Authorization
     {
         public DefaultAuthorizationPolicyProvider(Microsoft.Extensions.Options.IOptions<Microsoft.AspNetCore.Authorization.AuthorizationOptions> options) { }
         public System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy> GetDefaultPolicyAsync() { throw null; }
-        public System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy> GetFallbackPolicyAsync() { throw null; }
+        public System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy?> GetFallbackPolicyAsync() { throw null; }
-        public virtual System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy> GetPolicyAsync(string policyName) { throw null; }
+        public virtual System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy?> GetPolicyAsync(string policyName) { throw null; }
     }
     public partial class DefaultAuthorizationService : Microsoft.AspNetCore.Authorization.IAuthorizationService
     {
         public DefaultAuthorizationService(Microsoft.AspNetCore.Authorization.IAuthorizationPolicyProvider policyProvider, Microsoft.AspNetCore.Authorization.IAuthorizationHandlerProvider handlers, Microsoft.Extensions.Logging.ILogger<Microsoft.AspNetCore.Authorization.DefaultAuthorizationService> logger, Microsoft.AspNetCore.Authorization.IAuthorizationHandlerContextFactory contextFactory, Microsoft.AspNetCore.Authorization.IAuthorizationEvaluator evaluator, Microsoft.Extensions.Options.IOptions<Microsoft.AspNetCore.Authorization.AuthorizationOptions> options) { }
         [System.Diagnostics.DebuggerStepThroughAttribute]
-        public System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(System.Security.Claims.ClaimsPrincipal user, object resource, System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> requirements) { throw null; }
+        public System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(System.Security.Claims.ClaimsPrincipal user, object? resource, System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> requirements) { throw null; }
         [System.Diagnostics.DebuggerStepThroughAttribute]
-        public System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(System.Security.Claims.ClaimsPrincipal user, object resource, string policyName) { throw null; }
+        public System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(System.Security.Claims.ClaimsPrincipal user, object? resource, string policyName) { throw null; }
     }
     public partial interface IAuthorizationEvaluator
     {
@@ -147,7 +147,7 @@ namespace Microsoft.AspNetCore.Authorization
     }
     public partial interface IAuthorizationHandlerContextFactory
     {
-        Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext CreateContext(System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> requirements, System.Security.Claims.ClaimsPrincipal user, object resource);
+        Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext CreateContext(System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> requirements, System.Security.Claims.ClaimsPrincipal user, object? resource);
     }
     public partial interface IAuthorizationHandlerProvider
     {
@@ -156,16 +156,16 @@ namespace Microsoft.AspNetCore.Authorization
     public partial interface IAuthorizationPolicyProvider
     {
         System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy> GetDefaultPolicyAsync();
-        System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy> GetFallbackPolicyAsync();
+        System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy?> GetFallbackPolicyAsync();
-        System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy> GetPolicyAsync(string policyName);
+        System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy?> GetPolicyAsync(string policyName);
     }
     public partial interface IAuthorizationRequirement
     {
     }
     public partial interface IAuthorizationService
     {
-        System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(System.Security.Claims.ClaimsPrincipal user, object resource, System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> requirements);
+        System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(System.Security.Claims.ClaimsPrincipal user, object? resource, System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> requirements);
-        System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(System.Security.Claims.ClaimsPrincipal user, object resource, string policyName);
+        System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(System.Security.Claims.ClaimsPrincipal user, object? resource, string policyName);
     }
 }
 namespace Microsoft.AspNetCore.Authorization.Infrastructure
@@ -181,8 +181,8 @@ namespace Microsoft.AspNetCore.Authorization.Infrastructure
     }
     public partial class ClaimsAuthorizationRequirement : Microsoft.AspNetCore.Authorization.AuthorizationHandler<Microsoft.AspNetCore.Authorization.Infrastructure.ClaimsAuthorizationRequirement>, Microsoft.AspNetCore.Authorization.IAuthorizationRequirement
     {
-        public ClaimsAuthorizationRequirement(string claimType, System.Collections.Generic.IEnumerable<string> allowedValues) { }
+        public ClaimsAuthorizationRequirement(string claimType, System.Collections.Generic.IEnumerable<string>? allowedValues) { }
-        public System.Collections.Generic.IEnumerable<string> AllowedValues { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
+        public System.Collections.Generic.IEnumerable<string>? AllowedValues { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
         public string ClaimType { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
         protected override System.Threading.Tasks.Task HandleRequirementAsync(Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext context, Microsoft.AspNetCore.Authorization.Infrastructure.ClaimsAuthorizationRequirement requirement) { throw null; }
         public override string ToString() { throw null; }

src/Security/Authorization/Core/ref/Microsoft.AspNetCore.Authorization.netstandard2.0.cs

@@ -18,12 +18,12 @@ namespace Microsoft.AspNetCore.Authorization
     }
     public partial class AuthorizationHandlerContext
     {
-        public AuthorizationHandlerContext(System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> requirements, System.Security.Claims.ClaimsPrincipal user, object resource) { }
+        public AuthorizationHandlerContext(System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> requirements, System.Security.Claims.ClaimsPrincipal user, object? resource) { }
         public virtual bool HasFailed { get { throw null; } }
         public virtual bool HasSucceeded { get { throw null; } }
         public virtual System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> PendingRequirements { get { throw null; } }
         public virtual System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> Requirements { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
-        public virtual object Resource { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
+        public virtual object? Resource { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
         public virtual System.Security.Claims.ClaimsPrincipal User { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
         public virtual void Fail() { }
         public virtual void Succeed(Microsoft.AspNetCore.Authorization.IAuthorizationRequirement requirement) { }
@@ -46,11 +46,11 @@ namespace Microsoft.AspNetCore.Authorization
     {
         public AuthorizationOptions() { }
         public Microsoft.AspNetCore.Authorization.AuthorizationPolicy DefaultPolicy { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
-        public Microsoft.AspNetCore.Authorization.AuthorizationPolicy FallbackPolicy { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
+        public Microsoft.AspNetCore.Authorization.AuthorizationPolicy? FallbackPolicy { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
         public bool InvokeHandlersAfterFailure { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
         public void AddPolicy(string name, Microsoft.AspNetCore.Authorization.AuthorizationPolicy policy) { }
         public void AddPolicy(string name, System.Action<Microsoft.AspNetCore.Authorization.AuthorizationPolicyBuilder> configurePolicy) { }
-        public Microsoft.AspNetCore.Authorization.AuthorizationPolicy GetPolicy(string name) { throw null; }
+        public Microsoft.AspNetCore.Authorization.AuthorizationPolicy? GetPolicy(string name) { throw null; }
     }
     public partial class AuthorizationPolicy
     {
@@ -60,7 +60,7 @@ namespace Microsoft.AspNetCore.Authorization
         public static Microsoft.AspNetCore.Authorization.AuthorizationPolicy Combine(params Microsoft.AspNetCore.Authorization.AuthorizationPolicy[] policies) { throw null; }
         public static Microsoft.AspNetCore.Authorization.AuthorizationPolicy Combine(System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.AuthorizationPolicy> policies) { throw null; }
         [System.Diagnostics.DebuggerStepThroughAttribute]
-        public static System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy> CombineAsync(Microsoft.AspNetCore.Authorization.IAuthorizationPolicyProvider policyProvider, System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizeData> authorizeData) { throw null; }
+        public static System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy?> CombineAsync(Microsoft.AspNetCore.Authorization.IAuthorizationPolicyProvider policyProvider, System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizeData> authorizeData) { throw null; }
     }
     public partial class AuthorizationPolicyBuilder
     {
@@ -85,7 +85,7 @@ namespace Microsoft.AspNetCore.Authorization
     public partial class AuthorizationResult
     {
         internal AuthorizationResult() { }
-        public Microsoft.AspNetCore.Authorization.AuthorizationFailure Failure { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
+        public Microsoft.AspNetCore.Authorization.AuthorizationFailure? Failure { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
         public bool Succeeded { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
         public static Microsoft.AspNetCore.Authorization.AuthorizationResult Failed() { throw null; }
         public static Microsoft.AspNetCore.Authorization.AuthorizationResult Failed(Microsoft.AspNetCore.Authorization.AuthorizationFailure failure) { throw null; }
@@ -94,7 +94,7 @@ namespace Microsoft.AspNetCore.Authorization
     public static partial class AuthorizationServiceExtensions
     {
         public static System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(this Microsoft.AspNetCore.Authorization.IAuthorizationService service, System.Security.Claims.ClaimsPrincipal user, Microsoft.AspNetCore.Authorization.AuthorizationPolicy policy) { throw null; }
-        public static System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(this Microsoft.AspNetCore.Authorization.IAuthorizationService service, System.Security.Claims.ClaimsPrincipal user, object resource, Microsoft.AspNetCore.Authorization.AuthorizationPolicy policy) { throw null; }
+        public static System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(this Microsoft.AspNetCore.Authorization.IAuthorizationService service, System.Security.Claims.ClaimsPrincipal user, object? resource, Microsoft.AspNetCore.Authorization.AuthorizationPolicy policy) { throw null; }
         public static System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(this Microsoft.AspNetCore.Authorization.IAuthorizationService service, System.Security.Claims.ClaimsPrincipal user, object resource, Microsoft.AspNetCore.Authorization.IAuthorizationRequirement requirement) { throw null; }
         public static System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(this Microsoft.AspNetCore.Authorization.IAuthorizationService service, System.Security.Claims.ClaimsPrincipal user, string policyName) { throw null; }
     }
@@ -103,9 +103,9 @@ namespace Microsoft.AspNetCore.Authorization
     {
         public AuthorizeAttribute() { }
         public AuthorizeAttribute(string policy) { }
-        public string AuthenticationSchemes { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
+        public string? AuthenticationSchemes { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
-        public string Policy { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
+        public string? Policy { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
-        public string Roles { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
+        public string? Roles { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
     }
     public partial class DefaultAuthorizationEvaluator : Microsoft.AspNetCore.Authorization.IAuthorizationEvaluator
     {
@@ -115,7 +115,7 @@ namespace Microsoft.AspNetCore.Authorization
     public partial class DefaultAuthorizationHandlerContextFactory : Microsoft.AspNetCore.Authorization.IAuthorizationHandlerContextFactory
     {
         public DefaultAuthorizationHandlerContextFactory() { }
-        public virtual Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext CreateContext(System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> requirements, System.Security.Claims.ClaimsPrincipal user, object resource) { throw null; }
+        public virtual Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext CreateContext(System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> requirements, System.Security.Claims.ClaimsPrincipal user, object? resource) { throw null; }
     }
     public partial class DefaultAuthorizationHandlerProvider : Microsoft.AspNetCore.Authorization.IAuthorizationHandlerProvider
     {
@@ -126,16 +126,16 @@ namespace Microsoft.AspNetCore.Authorization
     {
         public DefaultAuthorizationPolicyProvider(Microsoft.Extensions.Options.IOptions<Microsoft.AspNetCore.Authorization.AuthorizationOptions> options) { }
         public System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy> GetDefaultPolicyAsync() { throw null; }
-        public System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy> GetFallbackPolicyAsync() { throw null; }
+        public System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy?> GetFallbackPolicyAsync() { throw null; }
-        public virtual System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy> GetPolicyAsync(string policyName) { throw null; }
+        public virtual System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy?> GetPolicyAsync(string policyName) { throw null; }
     }
     public partial class DefaultAuthorizationService : Microsoft.AspNetCore.Authorization.IAuthorizationService
     {
         public DefaultAuthorizationService(Microsoft.AspNetCore.Authorization.IAuthorizationPolicyProvider policyProvider, Microsoft.AspNetCore.Authorization.IAuthorizationHandlerProvider handlers, Microsoft.Extensions.Logging.ILogger<Microsoft.AspNetCore.Authorization.DefaultAuthorizationService> logger, Microsoft.AspNetCore.Authorization.IAuthorizationHandlerContextFactory contextFactory, Microsoft.AspNetCore.Authorization.IAuthorizationEvaluator evaluator, Microsoft.Extensions.Options.IOptions<Microsoft.AspNetCore.Authorization.AuthorizationOptions> options) { }
         [System.Diagnostics.DebuggerStepThroughAttribute]
-        public System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(System.Security.Claims.ClaimsPrincipal user, object resource, System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> requirements) { throw null; }
+        public System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(System.Security.Claims.ClaimsPrincipal user, object? resource, System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> requirements) { throw null; }
         [System.Diagnostics.DebuggerStepThroughAttribute]
-        public System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(System.Security.Claims.ClaimsPrincipal user, object resource, string policyName) { throw null; }
+        public System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(System.Security.Claims.ClaimsPrincipal user, object? resource, string policyName) { throw null; }
     }
     public partial interface IAuthorizationEvaluator
     {
@@ -147,7 +147,7 @@ namespace Microsoft.AspNetCore.Authorization
     }
     public partial interface IAuthorizationHandlerContextFactory
     {
-        Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext CreateContext(System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> requirements, System.Security.Claims.ClaimsPrincipal user, object resource);
+        Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext CreateContext(System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> requirements, System.Security.Claims.ClaimsPrincipal user, object? resource);
     }
     public partial interface IAuthorizationHandlerProvider
     {
@@ -156,16 +156,16 @@ namespace Microsoft.AspNetCore.Authorization
     public partial interface IAuthorizationPolicyProvider
     {
         System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy> GetDefaultPolicyAsync();
-        System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy> GetFallbackPolicyAsync();
+        System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy?> GetFallbackPolicyAsync();
-        System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy> GetPolicyAsync(string policyName);
+        System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy?> GetPolicyAsync(string policyName);
     }
     public partial interface IAuthorizationRequirement
     {
     }
     public partial interface IAuthorizationService
     {
-        System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(System.Security.Claims.ClaimsPrincipal user, object resource, System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> requirements);
+        System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(System.Security.Claims.ClaimsPrincipal user, object? resource, System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement> requirements);
-        System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(System.Security.Claims.ClaimsPrincipal user, object resource, string policyName);
+        System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationResult> AuthorizeAsync(System.Security.Claims.ClaimsPrincipal user, object? resource, string policyName);
     }
 }
 namespace Microsoft.AspNetCore.Authorization.Infrastructure
@@ -181,8 +181,8 @@ namespace Microsoft.AspNetCore.Authorization.Infrastructure
     }
     public partial class ClaimsAuthorizationRequirement : Microsoft.AspNetCore.Authorization.AuthorizationHandler<Microsoft.AspNetCore.Authorization.Infrastructure.ClaimsAuthorizationRequirement>, Microsoft.AspNetCore.Authorization.IAuthorizationRequirement
     {
-        public ClaimsAuthorizationRequirement(string claimType, System.Collections.Generic.IEnumerable<string> allowedValues) { }
+        public ClaimsAuthorizationRequirement(string claimType, System.Collections.Generic.IEnumerable<string>? allowedValues) { }
-        public System.Collections.Generic.IEnumerable<string> AllowedValues { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
+        public System.Collections.Generic.IEnumerable<string>? AllowedValues { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
         public string ClaimType { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
         protected override System.Threading.Tasks.Task HandleRequirementAsync(Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext context, Microsoft.AspNetCore.Authorization.Infrastructure.ClaimsAuthorizationRequirement requirement) { throw null; }
         public override string ToString() { throw null; }

src/Security/Authorization/Core/src/AuthorizationFailure.cs

@@ -1,6 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using System;
 using System.Collections.Generic;
 using System.Security.Claims;
 
@@ -21,7 +22,7 @@ namespace Microsoft.AspNetCore.Authorization
         /// <summary>
         /// Failure was due to these requirements not being met via <see cref="AuthorizationHandlerContext.Succeed(IAuthorizationRequirement)"/>.
         /// </summary>
-        public IEnumerable<IAuthorizationRequirement> FailedRequirements { get; private set; }
+        public IEnumerable<IAuthorizationRequirement> FailedRequirements { get; private set; } = Array.Empty<IAuthorizationRequirement>();
 
         /// <summary>
         /// Return a failure due to <see cref="AuthorizationHandlerContext.Fail"/> being called.
@@ -31,7 +32,6 @@ namespace Microsoft.AspNetCore.Authorization
             => new AuthorizationFailure
             {
                 FailCalled = true,
-                FailedRequirements = new IAuthorizationRequirement[0]
             };
 
         /// <summary>

src/Security/Authorization/Core/src/AuthorizationHandlerContext.cs

@@ -26,7 +26,7 @@ namespace Microsoft.AspNetCore.Authorization
         public AuthorizationHandlerContext(
             IEnumerable<IAuthorizationRequirement> requirements,
             ClaimsPrincipal user,
-            object resource)
+            object? resource)
         {
             if (requirements == null)
             {
@@ -52,7 +52,7 @@ namespace Microsoft.AspNetCore.Authorization
         /// <summary>
         /// The optional resource to evaluate the <see cref="AuthorizationHandlerContext.Requirements"/> against.
         /// </summary>
-        public virtual object Resource { get; }
+        public virtual object? Resource { get; }
 
         /// <summary>
         /// Gets the requirements that have not yet been marked as succeeded.
@@ -95,4 +95,4 @@ namespace Microsoft.AspNetCore.Authorization
             _pendingRequirements.Remove(requirement);
         }
     }
-}
+}

src/Security/Authorization/Core/src/AuthorizationOptions.cs

@@ -11,7 +11,7 @@ namespace Microsoft.AspNetCore.Authorization
     /// </summary>
     public class AuthorizationOptions
     {
-        private IDictionary<string, AuthorizationPolicy> PolicyMap { get; } = new Dictionary<string, AuthorizationPolicy>(StringComparer.OrdinalIgnoreCase);
+        private Dictionary<string, AuthorizationPolicy> PolicyMap { get; } = new Dictionary<string, AuthorizationPolicy>(StringComparer.OrdinalIgnoreCase);
 
         /// <summary>
         /// Determines whether authentication handlers should be invoked after a failure.
@@ -35,7 +35,7 @@ namespace Microsoft.AspNetCore.Authorization
         /// effect unless you have the AuthorizationMiddleware in your pipeline. It is not used in any way by the 
         /// default <see cref="IAuthorizationService"/>.
         /// </summary>
-        public AuthorizationPolicy FallbackPolicy { get; set; }
+        public AuthorizationPolicy? FallbackPolicy { get; set; }
 
         /// <summary>
         /// Add an authorization policy with the provided name.
@@ -84,14 +84,19 @@ namespace Microsoft.AspNetCore.Authorization
         /// </summary>
         /// <param name="name">The name of the policy to return.</param>
         /// <returns>The policy for the specified name, or null if a policy with the name does not exist.</returns>
-        public AuthorizationPolicy GetPolicy(string name)
+        public AuthorizationPolicy? GetPolicy(string name)
         {
             if (name == null)
             {
                 throw new ArgumentNullException(nameof(name));
             }
 
-            return PolicyMap.ContainsKey(name) ? PolicyMap[name] : null;
+            if (PolicyMap.TryGetValue(name, out var value))
+            {
+                return value;
+            }
+
+            return null;
         }
     }
 }

src/Security/Authorization/Core/src/AuthorizationPolicy.cs

@@ -108,7 +108,7 @@ namespace Microsoft.AspNetCore.Authorization
         /// A new <see cref="AuthorizationPolicy"/> which represents the combination of the
         /// authorization policies provided by the specified <paramref name="policyProvider"/>.
         /// </returns>
-        public static async Task<AuthorizationPolicy> CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable<IAuthorizeData> authorizeData)
+        public static async Task<AuthorizationPolicy?> CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable<IAuthorizeData> authorizeData)
         {
             if (policyProvider == null)
             {
@@ -127,7 +127,7 @@ namespace Microsoft.AspNetCore.Authorization
                 skipEnumeratingData = dataList.Count == 0;
             }
 
-            AuthorizationPolicyBuilder policyBuilder = null;
+            AuthorizationPolicyBuilder? policyBuilder = null;
             if (!skipEnumeratingData)
             {
                 foreach (var authorizeDatum in authorizeData)

src/Security/Authorization/Core/src/AuthorizationResult.cs

@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System.Collections.Generic;
+using System.Diagnostics.CodeAnalysis;
 using System.Security.Claims;
 
 namespace Microsoft.AspNetCore.Authorization
@@ -21,7 +22,7 @@ namespace Microsoft.AspNetCore.Authorization
         /// <summary>
         /// Contains information about why authorization failed.
         /// </summary>
-        public AuthorizationFailure Failure { get; private set; }
+        public AuthorizationFailure? Failure { get; private set; }
 
         /// <summary>
         /// Returns a successful result.

src/Security/Authorization/Core/src/AuthorizationServiceCollectionExtensions.cs

@@ -51,11 +51,7 @@ namespace Microsoft.Extensions.DependencyInjection
                 throw new ArgumentNullException(nameof(services));
             }
 
-            if (configure != null)
+            services.Configure(configure);
-            {
-                services.Configure(configure);
-            }
-
             return services.AddAuthorizationCore();
         }
     }

src/Security/Authorization/Core/src/AuthorizationServiceExtensions.cs

@@ -50,7 +50,7 @@ namespace Microsoft.AspNetCore.Authorization
         /// A flag indicating whether policy evaluation has succeeded or failed.
         /// This value is <value>true</value> when the user fulfills the policy, otherwise <value>false</value>.
         /// </returns>
-        public static Task<AuthorizationResult> AuthorizeAsync(this IAuthorizationService service, ClaimsPrincipal user, object resource, AuthorizationPolicy policy)
+        public static Task<AuthorizationResult> AuthorizeAsync(this IAuthorizationService service, ClaimsPrincipal user, object? resource, AuthorizationPolicy policy)
         {
             if (service == null)
             {
@@ -115,4 +115,4 @@ namespace Microsoft.AspNetCore.Authorization
             return service.AuthorizeAsync(user, resource: null, policyName: policyName);
         }
     }
-}
+}

src/Security/Authorization/Core/src/AuthorizeAttribute.cs

@@ -28,16 +28,16 @@ namespace Microsoft.AspNetCore.Authorization
         /// <summary>
         /// Gets or sets the policy name that determines access to the resource.
         /// </summary>
-        public string Policy { get; set; }
+        public string? Policy { get; set; }
 
         /// <summary>
         /// Gets or sets a comma delimited list of roles that are allowed to access the resource.
         /// </summary>
-        public string Roles { get; set; }
+        public string? Roles { get; set; }
 
         /// <summary>
         /// Gets or sets a comma delimited list of schemes from which user information is constructed.
         /// </summary>
-        public string AuthenticationSchemes { get; set; }
+        public string? AuthenticationSchemes { get; set; }
     }
 }

src/Security/Authorization/Core/src/ClaimsAuthorizationRequirement.cs

@@ -22,7 +22,7 @@ namespace Microsoft.AspNetCore.Authorization.Infrastructure
         /// <param name="claimType">The claim type that must be present.</param>
         /// <param name="allowedValues">The optional list of claim values, which, if present, 
         /// the claim must match.</param>
-        public ClaimsAuthorizationRequirement(string claimType, IEnumerable<string> allowedValues)
+        public ClaimsAuthorizationRequirement(string claimType, IEnumerable<string>? allowedValues)
         {
             if (claimType == null)
             {
@@ -42,7 +42,7 @@ namespace Microsoft.AspNetCore.Authorization.Infrastructure
         /// Gets the optional list of claim values, which, if present, 
         /// the claim must match.
         /// </summary>
-        public IEnumerable<string> AllowedValues { get; }
+        public IEnumerable<string>? AllowedValues { get; }
 
         /// <summary>
         /// Makes a decision if authorization is allowed based on the claims requirements specified.

src/Security/Authorization/Core/src/DefaultAuthorizationHandlerContextFactory.cs

@@ -21,7 +21,7 @@ namespace Microsoft.AspNetCore.Authorization
         /// If a resource is not required for policy evaluation you may pass null as the value.
         /// </param>
         /// <returns>The <see cref="AuthorizationHandlerContext"/>.</returns>
-        public virtual AuthorizationHandlerContext CreateContext(IEnumerable<IAuthorizationRequirement> requirements, ClaimsPrincipal user, object resource)
+        public virtual AuthorizationHandlerContext CreateContext(IEnumerable<IAuthorizationRequirement> requirements, ClaimsPrincipal user, object? resource)
         {
             return new AuthorizationHandlerContext(requirements, user, resource);
         }

src/Security/Authorization/Core/src/DefaultAuthorizationPolicyProvider.cs

@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Diagnostics.CodeAnalysis;
 using System.Threading.Tasks;
 using Microsoft.Extensions.Options;
 
@@ -14,8 +15,8 @@ namespace Microsoft.AspNetCore.Authorization
     public class DefaultAuthorizationPolicyProvider : IAuthorizationPolicyProvider
     {
         private readonly AuthorizationOptions _options;
-        private Task<AuthorizationPolicy> _cachedDefaultPolicy;
+        private Task<AuthorizationPolicy>? _cachedDefaultPolicy;
-        private Task<AuthorizationPolicy> _cachedFallbackPolicy;
+        private Task<AuthorizationPolicy?>? _cachedFallbackPolicy;
 
         /// <summary>
         /// Creates a new instance of <see cref="DefaultAuthorizationPolicyProvider"/>.
@@ -37,26 +38,26 @@ namespace Microsoft.AspNetCore.Authorization
         /// <returns>The default authorization policy.</returns>
         public Task<AuthorizationPolicy> GetDefaultPolicyAsync()
         {
-            return GetCachedPolicy(ref _cachedDefaultPolicy, _options.DefaultPolicy);
+            if (_cachedDefaultPolicy == null || _cachedDefaultPolicy.Result != _options.DefaultPolicy)
+            {
+                _cachedDefaultPolicy = Task.FromResult(_options.DefaultPolicy);
+            }
+
+            return _cachedDefaultPolicy;
         }
 
         /// <summary>
         /// Gets the fallback authorization policy.
         /// </summary>
         /// <returns>The fallback authorization policy.</returns>
-        public Task<AuthorizationPolicy> GetFallbackPolicyAsync()
+        public Task<AuthorizationPolicy?> GetFallbackPolicyAsync()
         {
-            return GetCachedPolicy(ref _cachedFallbackPolicy, _options.FallbackPolicy);
+            if (_cachedFallbackPolicy == null || _cachedFallbackPolicy.Result != _options.FallbackPolicy)
-        }
-
-        private Task<AuthorizationPolicy> GetCachedPolicy(ref Task<AuthorizationPolicy> cachedPolicy, AuthorizationPolicy currentPolicy)
-        {
-            var local = cachedPolicy;
-            if (local == null || local.Result != currentPolicy)
             {
-                cachedPolicy = local = Task.FromResult(currentPolicy);
+                _cachedFallbackPolicy = Task.FromResult(_options.FallbackPolicy);
             }
-            return local;
+
+            return _cachedFallbackPolicy;
         }
 
         /// <summary>
@@ -64,7 +65,7 @@ namespace Microsoft.AspNetCore.Authorization
         /// </summary>
         /// <param name="policyName">The policy name to retrieve.</param>
         /// <returns>The named <see cref="AuthorizationPolicy"/>.</returns>
-        public virtual Task<AuthorizationPolicy> GetPolicyAsync(string policyName)
+        public virtual Task<AuthorizationPolicy?> GetPolicyAsync(string policyName)
         {
             // MVC caches policies specifically for this class, so this method MUST return the same policy per
             // policyName for every request or it could allow undesired access. It also must return synchronously.

src/Security/Authorization/Core/src/DefaultAuthorizationService.cs

@@ -77,7 +77,7 @@ namespace Microsoft.AspNetCore.Authorization
         /// A flag indicating whether authorization has succeeded.
         /// This value is <value>true</value> when the user fulfills the policy otherwise <value>false</value>.
         /// </returns>
-        public async Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, IEnumerable<IAuthorizationRequirement> requirements)
+        public async Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object? resource, IEnumerable<IAuthorizationRequirement> requirements)
         {
             if (requirements == null)
             {
@@ -102,7 +102,7 @@ namespace Microsoft.AspNetCore.Authorization
             }
             else
             {
-                _logger.UserAuthorizationFailed(result.Failure);
+                _logger.UserAuthorizationFailed(result.Failure!);
             }
             return result;
         }
@@ -117,7 +117,7 @@ namespace Microsoft.AspNetCore.Authorization
         /// A flag indicating whether authorization has succeeded.
         /// This value is <value>true</value> when the user fulfills the policy otherwise <value>false</value>.
         /// </returns>
-        public async Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, string policyName)
+        public async Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object? resource, string policyName)
         {
             if (policyName == null)
             {

src/Security/Authorization/Core/src/IAuthorizationHandlerContextFactory.cs

@@ -21,6 +21,6 @@ namespace Microsoft.AspNetCore.Authorization
         /// If a resource is not required for policy evaluation you may pass null as the value.
         /// </param>
         /// <returns>The <see cref="AuthorizationHandlerContext"/>.</returns>
-        AuthorizationHandlerContext CreateContext(IEnumerable<IAuthorizationRequirement> requirements, ClaimsPrincipal user, object resource);
+        AuthorizationHandlerContext CreateContext(IEnumerable<IAuthorizationRequirement> requirements, ClaimsPrincipal user, object? resource);
     }
 }

src/Security/Authorization/Core/src/IAuthorizationPolicyProvider.cs

@@ -15,7 +15,7 @@ namespace Microsoft.AspNetCore.Authorization
         /// </summary>
         /// <param name="policyName">The policy name to retrieve.</param>
         /// <returns>The named <see cref="AuthorizationPolicy"/>.</returns>
-        Task<AuthorizationPolicy> GetPolicyAsync(string policyName);
+        Task<AuthorizationPolicy?> GetPolicyAsync(string policyName);
 
         /// <summary>
         /// Gets the default authorization policy.
@@ -27,6 +27,6 @@ namespace Microsoft.AspNetCore.Authorization
         /// Gets the fallback authorization policy.
         /// </summary>
         /// <returns>The fallback authorization policy.</returns>
-        Task<AuthorizationPolicy> GetFallbackPolicyAsync();
+        Task<AuthorizationPolicy?> GetFallbackPolicyAsync();
     }
 }

src/Security/Authorization/Core/src/IAuthorizationService.cs

@@ -29,7 +29,7 @@ namespace Microsoft.AspNetCore.Authorization
         /// Resource is an optional parameter and may be null. Please ensure that you check it is not 
         /// null before acting upon it.
         /// </remarks>
-        Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, IEnumerable<IAuthorizationRequirement> requirements);
+        Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object? resource, IEnumerable<IAuthorizationRequirement> requirements);
 
         /// <summary>
         /// Checks if a user meets a specific authorization policy
@@ -49,6 +49,6 @@ namespace Microsoft.AspNetCore.Authorization
         /// Resource is an optional parameter and may be null. Please ensure that you check it is not 
         /// null before acting upon it.
         /// </remarks>
-        Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, string policyName);
+        Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object? resource, string policyName);
     }
-}
+}

src/Security/Authorization/Core/src/LoggingExtensions.cs

@@ -8,8 +8,8 @@ namespace Microsoft.Extensions.Logging
 {
     internal static class LoggingExtensions
     {
-        private static Action<ILogger, string, Exception> _userAuthorizationFailed;
+        private static Action<ILogger, string, Exception?> _userAuthorizationFailed;
-        private static Action<ILogger, Exception> _userAuthorizationSucceeded;
+        private static Action<ILogger, Exception?> _userAuthorizationSucceeded;
 
         static LoggingExtensions()
         {

src/Security/Authorization/Core/src/Microsoft.AspNetCore.Authorization.csproj

@@ -11,6 +11,7 @@ Microsoft.AspNetCore.Authorization.AuthorizeAttribute</Description>
     <NoWarn>$(NoWarn);CS1591</NoWarn>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageTags>aspnetcore;authorization</PackageTags>
+    <Nullable>enable</Nullable>
   </PropertyGroup>
 
   <ItemGroup>

src/Security/Authorization/Core/src/OperationAuthorizationRequirement.cs

@@ -12,7 +12,7 @@ namespace Microsoft.AspNetCore.Authorization.Infrastructure
         /// <summary>
         /// The name of this instance of <see cref="IAuthorizationRequirement"/>.
         /// </summary>
-        public string Name { get; set; }
+        public string Name { get; set; } = default!;
 
         public override string ToString()
         {

src/Security/Authorization/Policy/ref/Microsoft.AspNetCore.Authorization.Policy.csproj

@@ -2,6 +2,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
     <TargetFrameworks>$(DefaultNetCoreTargetFramework)</TargetFrameworks>
+    <Nullable>annotations</Nullable>
   </PropertyGroup>
   <ItemGroup Condition="'$(TargetFramework)' == '$(DefaultNetCoreTargetFramework)'">
     <Compile Include="Microsoft.AspNetCore.Authorization.Policy.netcoreapp.cs" />

src/Security/Authorization/Policy/ref/Microsoft.AspNetCore.Authorization.Policy.netcoreapp.cs

@@ -25,18 +25,18 @@ namespace Microsoft.AspNetCore.Authorization.Policy
     public partial interface IPolicyEvaluator
     {
         System.Threading.Tasks.Task<Microsoft.AspNetCore.Authentication.AuthenticateResult> AuthenticateAsync(Microsoft.AspNetCore.Authorization.AuthorizationPolicy policy, Microsoft.AspNetCore.Http.HttpContext context);
-        System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.Policy.PolicyAuthorizationResult> AuthorizeAsync(Microsoft.AspNetCore.Authorization.AuthorizationPolicy policy, Microsoft.AspNetCore.Authentication.AuthenticateResult authenticationResult, Microsoft.AspNetCore.Http.HttpContext context, object resource);
+        System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.Policy.PolicyAuthorizationResult> AuthorizeAsync(Microsoft.AspNetCore.Authorization.AuthorizationPolicy policy, Microsoft.AspNetCore.Authentication.AuthenticateResult authenticationResult, Microsoft.AspNetCore.Http.HttpContext context, object? resource);
     }
     public partial class PolicyAuthorizationResult
     {
         internal PolicyAuthorizationResult() { }
-        public Microsoft.AspNetCore.Authorization.AuthorizationFailure AuthorizationFailure { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
+        public Microsoft.AspNetCore.Authorization.AuthorizationFailure? AuthorizationFailure { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
         public bool Challenged { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
         public bool Forbidden { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
         public bool Succeeded { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
         public static Microsoft.AspNetCore.Authorization.Policy.PolicyAuthorizationResult Challenge() { throw null; }
         public static Microsoft.AspNetCore.Authorization.Policy.PolicyAuthorizationResult Forbid() { throw null; }
-        public static Microsoft.AspNetCore.Authorization.Policy.PolicyAuthorizationResult Forbid(Microsoft.AspNetCore.Authorization.AuthorizationFailure authorizationFailure) { throw null; }
+        public static Microsoft.AspNetCore.Authorization.Policy.PolicyAuthorizationResult Forbid(Microsoft.AspNetCore.Authorization.AuthorizationFailure? authorizationFailure) { throw null; }
         public static Microsoft.AspNetCore.Authorization.Policy.PolicyAuthorizationResult Success() { throw null; }
     }
     public partial class PolicyEvaluator : Microsoft.AspNetCore.Authorization.Policy.IPolicyEvaluator
@@ -45,7 +45,7 @@ namespace Microsoft.AspNetCore.Authorization.Policy
         [System.Diagnostics.DebuggerStepThroughAttribute]
         public virtual System.Threading.Tasks.Task<Microsoft.AspNetCore.Authentication.AuthenticateResult> AuthenticateAsync(Microsoft.AspNetCore.Authorization.AuthorizationPolicy policy, Microsoft.AspNetCore.Http.HttpContext context) { throw null; }
         [System.Diagnostics.DebuggerStepThroughAttribute]
-        public virtual System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.Policy.PolicyAuthorizationResult> AuthorizeAsync(Microsoft.AspNetCore.Authorization.AuthorizationPolicy policy, Microsoft.AspNetCore.Authentication.AuthenticateResult authenticationResult, Microsoft.AspNetCore.Http.HttpContext context, object resource) { throw null; }
+        public virtual System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.Policy.PolicyAuthorizationResult> AuthorizeAsync(Microsoft.AspNetCore.Authorization.AuthorizationPolicy policy, Microsoft.AspNetCore.Authentication.AuthenticateResult authenticationResult, Microsoft.AspNetCore.Http.HttpContext context, object? resource) { throw null; }
     }
 }
 namespace Microsoft.AspNetCore.Builder

src/Security/Authorization/Policy/src/IPolicyEvaluator.cs

@@ -35,6 +35,6 @@ namespace Microsoft.AspNetCore.Authorization.Policy
         /// <returns>Returns <see cref="PolicyAuthorizationResult.Success"/> if authorization succeeds.
         /// Otherwise returns <see cref="PolicyAuthorizationResult.Forbid(AuthorizationFailure)"/> if <see cref="AuthenticateResult.Succeeded"/>, otherwise
         /// returns  <see cref="PolicyAuthorizationResult.Challenge"/></returns>
-        Task<PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource);
+        Task<PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object? resource);
     }
 }

src/Security/Authorization/Policy/src/Microsoft.AspNetCore.Authorization.Policy.csproj

@@ -8,6 +8,7 @@
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageTags>aspnetcore;authorization</PackageTags>
     <IsPackable>false</IsPackable>
+    <Nullable>enable</Nullable>
   </PropertyGroup>
 
   <ItemGroup>

src/Security/Authorization/Policy/src/PolicyAuthorizationResult.cs

@@ -25,7 +25,7 @@ namespace Microsoft.AspNetCore.Authorization.Policy
         /// <summary>
         /// Contains information about why authorization failed.
         /// </summary>
-        public AuthorizationFailure AuthorizationFailure { get; private set; }
+        public AuthorizationFailure? AuthorizationFailure { get; private set; }
 
         public static PolicyAuthorizationResult Challenge()
             => new PolicyAuthorizationResult { Challenged = true };
@@ -33,7 +33,7 @@ namespace Microsoft.AspNetCore.Authorization.Policy
         public static PolicyAuthorizationResult Forbid()
             => Forbid(null);
 
-        public static PolicyAuthorizationResult Forbid(AuthorizationFailure authorizationFailure)
+        public static PolicyAuthorizationResult Forbid(AuthorizationFailure? authorizationFailure)
             => new PolicyAuthorizationResult { Forbidden = true, AuthorizationFailure = authorizationFailure };
 
         public static PolicyAuthorizationResult Success()

src/Security/Authorization/Policy/src/PolicyEvaluator.cs

@@ -34,7 +34,7 @@ namespace Microsoft.AspNetCore.Authorization.Policy
         {
             if (policy.AuthenticationSchemes != null && policy.AuthenticationSchemes.Count > 0)
             {
-                ClaimsPrincipal newPrincipal = null;
+                ClaimsPrincipal? newPrincipal = null;
                 foreach (var scheme in policy.AuthenticationSchemes)
                 {
                     var result = await context.AuthenticateAsync(scheme);
@@ -74,7 +74,7 @@ namespace Microsoft.AspNetCore.Authorization.Policy
         /// <returns>Returns <see cref="PolicyAuthorizationResult.Success"/> if authorization succeeds.
         /// Otherwise returns <see cref="PolicyAuthorizationResult.Forbid(AuthorizationFailure)"/> if <see cref="AuthenticateResult.Succeeded"/>, otherwise
         /// returns  <see cref="PolicyAuthorizationResult.Challenge"/></returns>
-        public virtual async Task<PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource)
+        public virtual async Task<PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object? resource)
         {
             if (policy == null)
             {

src/Security/Authorization/Policy/src/PolicyServiceCollectionExtensions.cs

@@ -37,7 +37,16 @@ namespace Microsoft.Extensions.DependencyInjection
         /// <param name="services">The <see cref="IServiceCollection" /> to add services to.</param>
         /// <returns>The <see cref="IServiceCollection"/> so that additional calls can be chained.</returns>
         public static IServiceCollection AddAuthorization(this IServiceCollection services)
-            => services.AddAuthorization(configure: null);
+        {
+            if (services == null)
+            {
+                throw new ArgumentNullException(nameof(services));
+            }
+
+            services.AddAuthorizationCore();
+            services.AddAuthorizationPolicyEvaluator();
+            return services;
+        }
 
         /// <summary>
         /// Adds authorization policy services to the specified <see cref="IServiceCollection" />. 

src/Shared/SecurityHelper/SecurityHelper.cs

@@ -1,7 +1,8 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
+#nullable enable
+
 using System.Linq;
 using System.Security.Claims;
 
@@ -19,7 +20,7 @@ namespace Microsoft.Extensions.Internal
         /// </summary>
         /// <param name="existingPrincipal">The <see cref="ClaimsPrincipal"/> containing existing <see cref="ClaimsIdentity"/>.</param>
         /// <param name="additionalPrincipal">The <see cref="ClaimsPrincipal"/> containing <see cref="ClaimsIdentity"/> to be added.</param>
-        public static ClaimsPrincipal MergeUserPrincipal(ClaimsPrincipal existingPrincipal, ClaimsPrincipal additionalPrincipal)
+        public static ClaimsPrincipal MergeUserPrincipal(ClaimsPrincipal? existingPrincipal, ClaimsPrincipal? additionalPrincipal)
         {
             var newPrincipal = new ClaimsPrincipal();