Allow Anonymous Requirement
Add this requirement at the end point security block to bypass the authentication requirement all end points implicitly have. This requirement does not need any additional metadata.
{
"endpoints": {
"ExamplesGetSingleProduct": {
"security": {
"AllowAnonymous": {
"type": "AllowAnonymous"
}
}
}
//remaining metadata omitted
}
}
Why did we add this security block to the end point instead of a route segment or input entity field?
Requirements are executed in collections at 3 different levels. In order for a collection to pass at least one requirement in the collection must succeed. The framework always adds the a requirement at the end point level that requires authentication. Also all collections must pass. If we add no additional security metadata all end points will have security that looks like this:
- Endpoint - require authentication
- Route - none
- Input fields - none
With no additional security metadata if we have an anonymous user the require authentication rule will fail, the end point grouping will fail, and therefore the request will not be allowed to execute.
If we added the security block to the route level we would have:
- Endpoint - require authentication
- Route - allow anonymous
- Input fields - none
If we had an anonymous user the route grouping would pass, but the end point grouping would still fail so the request would not be allowed to execute.
When we add the security block to the end point level we have:
- Endpoint - require authentication, allow anonymous
- Route - none
- Input fields - none.
If we had an anonymous user and we're evaluating the end point level security, require authentication would fail but allow anonymous would pass and therefore the entire end point group would pass. This allows the request to proceed and we get the desired result.