Authorization in ASP.NET Core. Always 401 Unauthorized for [Authorize] attribute

Question

For the first time I'm creating Authorization in ASP.NET Core. I used tutorial from here TUTORIAL

The problem is when I sending request from postman:

Authorization:Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6I...

to my method in controller decorated with [Authorize] attribute.

I receive 401 Unauthorized always... I saw comments bellow that tutorial and it seems that some people have similar issue also. I've no idea how I can solve this problem.

Answer 1

Along with order of middlewares, parameters of token must be matched with Authentication parameters (specifically, secret key).

I made a mistake that I had used different secret keys in both places which was returning status code 401.

Sharing screenshots of code (.net core 3.1) that may assist any one.

Startup.cs > ConfigureServices()

Login Controller logic

Answer 2

I fixes mine by changing the UseAuthentication() and order of UseAuthentication() and UseRouting() in the Configure method on Startup class.

Before

app.UseRouting();
app.UseAuthorization();
app.UseAuthentication();

After

app.UseAuthentication();
app.UseRouting();
app.UseAuthorization();

Answer 3

In my case i also was using app.MapWhen(code), and app.UseAuthentication(); should be before mapWhen like this

app.UseAuthentication();
app.MapWhen();
app.UseMvc();

Hope this will help.

Answer 4

for .NET CORE 3.0 or higher user this order in "configure" located in StartUp.cs

        app.UseRouting();
        app.UseAuthentication();
        app.UseAuthorization();

Answer 5

My ConfigureServices and Configure methods (Asp.Net Core 3.1.0) in the Startup class:

public void ConfigureServices(IServiceCollection services)
{
    services.AddCors(options =>
    {
        options.AddPolicy("AllowsAll", builder =>
        {
            builder.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader();
        });
    });

    services.AddAuthentication(options =>
    {
        options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
    })
    .AddJwtBearer(options =>
    {
        ...
    });

    services.AddControllers();
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }

    app.UseHttpsRedirection();
    app.UseStaticFiles();

    app.UseAuthentication();
    app.UseRouting();
    app.UseAuthorization();

    app.UseCors(options => options.AllowAnyOrigin());

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllers();
    });
}

My controller:

[Authorize]
[EnableCors("AllowsAll")]
[Route("[controller]")]
public class MyController : MyController
{
    ...
}

Answer 6

in ASP.NET Core 3.0, i had the same problem, what worked for me was:

app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();

in StartUp.Configure method.

This doc shows typical ordering of middleware components: https://learn.microsoft.com/en-us/aspnet/core/fundamentals/middleware/?view=aspnetcore-3.0

Answer 7

If you are using ASP.NET Core 3.0

Check this order

app.UseAuthentication();

app.UseRouting(); //must be below app.UseAuthentication();

If you are using ASP.NET Core < 3.0

Just replace the app.UseRouting(); by app.UseMvc();

i.e:

app.UseAuthentication();

app.UseMvc(); //must be below app.UseAuthentication();

Answer 8

In my case I was following coreApi,angularClient tutorial, but getting unauthorized error every time also In my case angular application is running under Core Api project.

So then I changed the order like this and it works now

   public void Configure(IApplicationBuilder app, IHostingEnvironment env,ILoggerFactory loggerFactory)
    {

        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler("/Error");
            app.UseHsts();
        }

        app.UseHttpsRedirection();
        app.UseStaticFiles();
        app.UseSpaStaticFiles();


        app.UseAuthentication();

        app.UseMvc(routes =>
        {
            routes.MapRoute(
                name: "default",
                template: "{controller}/{action=Index}/{id?}");
        });


        app.UseSpa(spa =>
        {
            // To learn more about options for serving an Angular SPA from ASP.NET Core,
            // see https://go.microsoft.com/fwlink/?linkid=864501

            spa.Options.SourcePath = "ClientApp";

            if (env.IsDevelopment())
            {
                spa.UseAngularCliServer(npmScript: "start");
            }
        });


         loggerFactory.AddConsole(Configuration.GetSection("Logging"));
        loggerFactory.AddDebug();

        // global cors policy
        app.UseCors(x => x
            .AllowAnyOrigin()
            .AllowAnyMethod()
            .AllowAnyHeader()
            .AllowCredentials());

    }

Answer 9

Solution for me was check the correctly order of middle-wares and other stuff in Configure method of Startup. Generally app.UseMvc();

Answer 10

At the request of others here is the answer:

The problem was with the middleware order in Startup.cs

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    ConfigureAuth(app); // your authorisation configuration

    app.UseMvc();
}

Why middleware order is important? If we put app.UseMvc() first - then the MVC actions would get in the routing and if they see the Authorize attribute they will take control of its handling and that's why we receives 401 Unauthorized error.

I hope it helps someone ;)