Authorization broken in Razor Pages .Net Core 3.0 preview 3

[Ponant]

Asp.Net Core Identity 3.0 Preview 3 template with RP
Authorize attribute does nothing on the Privacy page
AuthorizePage nothing
AuthorizeFolder nothing

You can also navigate to /Identity/Account/Manage, which should trigger back to login whereas it shows Unable to load user with ID '' gotten from the get request.
Is this planned for preview 4?
Related to #7011 which is flagged as done and closed but does not work.

[Eilon]

@Ponant can you show exactly what modifications you made to the app after the initial project was created?

[Ponant]

@Eilon , go to the Identity/Account/Manage page of the template; there is no need to change anything to the template to get this bug.
Otherwise, you can do this

    [Authorize]
    public class PrivacyModel : PageModel

but you will be able to access the Privacy page

Also

 services.AddMvc().AddRazorPagesOptions(o=>o.Conventions.AuthorizePage("/Privacy"))
                .AddNewtonsoftJson();

does nothing.
Same for AuthorizeFolder. I did not test further as there is clearly a huge hole while the issue is absent in 2.2.

[Eilon]

@javiercn / @pranavkm - any idea?

[javiercn]

Not sure what's happening here, but I'll take a look.

[Ponant]

Just create the identity template and navigate to identity/account/manage and you should see it traversing the get request whereas it requires authorization. You can also use the AuthorizePage and the like and it should just ignore them. Let me know if you can reproduce. Cheers

[mkArtak]

Thanks for the details, @Ponant.
I could repro this using Preview3 bits.
This is where the failure is coming from: https://github.com/aspnet/AspNetCore/blob/c95ee2b051814b787b07f55ff224d03d550aafeb/src/Identity/samples/IdentitySample.DefaultUI/Areas/Identity/Pages/Account/Manage/Index.cshtml.cs#L68
Obviously, the expectation here is that the user should be known. So indeed, authorization was completely bypassed.

[Ponant]

@mkArtak , out of curiosity, do you know from where the bug comes from?

[mkArtak]

Not really, @Ponant. Let's wait for @pranavkm to handle this - he'll do a great job here.