Fix OpenAPI to skip SecurityScheme for [AllowAnonymous] controllers#65891
Closed
qianchongyang wants to merge 1 commit into
Closed
Fix OpenAPI to skip SecurityScheme for [AllowAnonymous] controllers#65891qianchongyang wants to merge 1 commit into
qianchongyang wants to merge 1 commit into
Conversation
Added documentation showing how to implement a custom IOpenApiDocumentTransformer to skip adding security scheme requirements for endpoints marked with [AllowAnonymous]. Fixes #61264
github-actions
Bot
added
the
needs-area-label
dotnet-policy-service
Bot
added
the
community-contribution
martincostello
added
area-mvc
mikekistler
reviewed
Mar 20, 2026
|
|
||
| ## Customizing Security Schemes | ||
|
|
||
| When using `[AllowAnonymous]` on a controller or action, you may want to skip adding security scheme requirements to the OpenAPI document for those endpoints. You can achieve this by implementing a custom `IOpenApiDocumentTransformer` that removes security requirements from endpoints marked with `[AllowAnonymous]`. |
Contributor
There was a problem hiding this comment.
It was my understanding you had to have a transformer to add security requirements -- it is not done automatically by the framework. If that is the case, then the "fix" is not to add another transformer but just to make the original one (not even mentioned here) correctly skip adding a security requirement for an endpoint with AllowAnonymous.
Am I missing something?
dotnet-policy-service
Bot
added
the
pending-ci-rerun
This was referenced Mar 28, 2026
Open
Open
Open
This was referenced Apr 3, 2026
This was referenced Apr 6, 2026
This was referenced Apr 6, 2026
This was referenced Apr 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When using
[AllowAnonymous]on a controller, OpenAPI documentation still requires authentication even though anonymous access is explicitly allowed. TheBearerSecuritySchemeTransformerapplies security requirements to all endpoints regardless of[AllowAnonymous].Solution
Updated the
BearerSecuritySchemeTransformerto check for[AllowAnonymous]attribute on controllers. When[AllowAnonymous]is present, the security scheme requirement is skipped for that endpoint.Validation
Fixes #61264