Allow all api controlleraction requests when in demo mode

Question

I have a webapi where I controll access using attributes [AllowAnonymous] and [AuthorizeAttribute]. I have also created a custom attribute to add some logic to the authorization. The web api is using bearer token for authentication. I have a setting (a bool named InDemo) in my project with the purpose of making all my actions to allow anonymous requests, in other words behave like all actions had the [AllowAnonymous] attribute.

OAuthOptions = new OAuthAuthorizationServerOptions
            {
                TokenEndpointPath = new PathString("/Token"),
                Provider = new ApplicationOAuthProvider("self"),
                AccessTokenExpireTimeSpan = TimeSpan.FromSeconds(30000),
                AllowInsecureHttp = true
             };

            app.UseOAuthBearerTokens(OAuthOptions);


public class CustomApiAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool IsAuthorized(System.Web.Http.Controllers.HttpActionContext actionContext)
    {
        if (Settings.Default.InDemo)
           return true;

        // ... more custom validations
    }
}

This works fine as long as my request contains a valid bearer token, then IsAuthorized is called and I can bypass the custom validations. But if the token is invalid IsAuthorized is never called and "Authorization has been denied for this request" response is sent. Now I would like to ignore the token when the InDemo is set to true i.e. the behavior as having [AllowAnonymous].

Answer 1

Ok, here is how I solved it. I had my CustomApiAuthorizeAttribute implement IAuthenticationFilter and set the context principle to one that is always authenticated.

    public async Task AuthenticateAsync(HttpAuthenticationContext context, CancellationToken cancellationToken)
    {
        if (Settings.Default.AllowAnonymous)
                  context.Principal = new AuthenticatedPrincipal(Thread.CurrentPrincipal);
    }

    public class AuthenticatedPrincipal : IPrincipal
    {
        private readonly IPrincipal principalToWrap;

        public AuthenticatedPrincipal(IPrincipal principalToWrap)
        {
            this.principalToWrap = principalToWrap;
            Identity = new AuthenticatedIdentity(principalToWrap.Identity);
        }

        public bool IsInRole(string role)
        { return principalToWrap.IsInRole(role); }

        public IIdentity Identity { get; }
    }

    public class AuthenticatedIdentity : IIdentity
    {
        public AuthenticatedIdentity(IIdentity identityToWrap)
        {
            Name = identityToWrap.Name;
            AuthenticationType = identityToWrap.AuthenticationType;
        }

        public string Name { get; }
        public string AuthenticationType { get; }

        public bool IsAuthenticated => true;
    }