Authorization broken in Razor Pages .Net Core 3.0 preview 3

[Ponant]

Asp.Net Core Identity 3.0 Preview 3 template with RP
Authorize attribute does nothing on the Privacy page
AuthorizePage nothing
AuthorizeFolder nothing

You can also navigate to /Identity/Account/Manage, which should trigger back to login whereas it shows Unable to load user with ID '' gotten from the get request.
Is this planned for preview 4?
Related to #7011 which is flagged as done and closed but does not work.

[Eilon]

@Ponant can you show exactly what modifications you made to the app after the initial project was created?

[Ponant]

@Eilon , go to the Identity/Account/Manage page of the template; there is no need to change anything to the template to get this bug.
Otherwise, you can do this

    [Authorize]
    public class PrivacyModel : PageModel

but you will be able to access the Privacy page

Also

 services.AddMvc().AddRazorPagesOptions(o=>o.Conventions.AuthorizePage("/Privacy"))
                .AddNewtonsoftJson();

does nothing.
Same for AuthorizeFolder. I did not test further as there is clearly a huge hole while the issue is absent in 2.2.

[Eilon]

@javiercn / @pranavkm - any idea?

[javiercn]

Not sure what's happening here, but I'll take a look.

[Ponant]

Just create the identity template and navigate to identity/account/manage and you should see it traversing the get request whereas it requires authorization. You can also use the AuthorizePage and the like and it should just ignore them. Let me know if you can reproduce. Cheers

[mkArtak]

Thanks for the details, @Ponant.
I could repro this using Preview3 bits.
This is where the failure is coming from: https://github.com/aspnet/AspNetCore/blob/c95ee2b051814b787b07f55ff224d03d550aafeb/src/Identity/samples/IdentitySample.DefaultUI/Areas/Identity/Pages/Account/Manage/Index.cshtml.cs#L68
Obviously, the expectation here is that the user should be known. So indeed, authorization was completely bypassed.

[Ponant]

@mkArtak , out of curiosity, do you know from where the bug comes from?

[mkArtak]

Not really, @Ponant. Let's wait for @pranavkm to handle this - he'll do a great job here.

[rynowak]

The root cause of this issue is that the methods like AuthorizePage create an AuthorizeFilter but we also need an IAuthorizeData to show up in the endpoint metadata.

Since AuthorizeFilter is an MVC feature, it won't get executed by the authorization middleware - however the authorization middleware will run and suppress the filter.

We had a test gap in this area due to some functional tests that weren't running in the correct configuration. Updating the test app setup to be more like our documentation caused these tests to fail. I plan to check in the changes to the test setup as part of some other changes and skip the tests related to this issue.

To be crystal clear on the point - this is is a bug, and it is broken in preview 3. Official releases such as 2.2 do not have this bug.

[Ponant]

@pranavkm , is it possible to know the cause of the bug? Thanks for the fix!