[AllowAnonymous] ignored after request was handled by YARP

[johanndev]

Scenario: I have an ASP.NET Core Project that uses Yarp as an ingress for serveral backends and a JavaScript/SPA Frontend.
Authentication is handled via a on-premise ADFS instance/OIDC. As the ADFS services a few different applications and not all authenticated users will get access to my app, I want the default Authorization Policy to include a RoleRequirement:

builder.Services.AddAuthorizationBuilder()
    .SetDefaultPolicy(
        new AuthorizationPolicyBuilder()
            .RequireAuthenticatedUser()
            .RequireRole("MyRole")
            .Build()
    );

Users without this role get automatically redirected to /Account/AccessDenied handled by this Controller located in the same API that contains the reverse proxy:

[AllowAnonymous]
public class AccountController() : Controller
{
    [HttpGet]
    public IResult AccessDenied(string returnUrl)
    {
        return TypedResults.Ok($"AccessDenied\n{returnUrl}");
    }
}

When a user without the required Role is successfully authenticated, authorization fails as expected and the user is redirected to the /Account/AccessDenied route. The problem is that the role policy is evaluated again, even though the AccountController is annotated with the [AllowAnonymous] attribute. As the policy evaluation fails again, an infinite loop is triggered.

This is the relevant section from the logs:

info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
      Request starting HTTP/2 GET https://localhost:7018/ - - -
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
      Authorization failed. These requirements were not met:
      RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (MyRole)
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
      Request finished HTTP/2 GET https://localhost:7018/ - 302 0 - 13.8438ms
info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
      Request starting HTTP/2 GET https://localhost:7018/Account/AccessDenied?ReturnUrl=%2F - - -
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
      Authorization failed. These requirements were not met:
      RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (MyRole)
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
      Request finished HTTP/2 GET https://localhost:7018/Account/AccessDenied?ReturnUrl=%2F - 302 0 - 12.4166ms
info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
      Request starting HTTP/2 GET https://localhost:7018/Account/AccessDenied?ReturnUrl=%2FAccount%2FAccessDenied%3FReturnUrl%3D%252F - - -
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
      Authorization failed. These requirements were not met:
      RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (MyRole)
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
      Request finished HTTP/2 GET https://localhost:7018/Account/AccessDenied?ReturnUrl=%2FAccount%2FAccessDenied%3FReturnUrl%3D%252F - 302 0 - 7.1027ms

....Repeat until the browser calls quits with ERR_TOO_MANY_REDIRECTS

When I remove the reverse proxy from the middleware pipeline, everything works as expected.

It seems that if a request was first handled by Yarp, the default authorization policy handling is somehow circumvented.

Does anyone have an idea how I can tackle this problem? I'm open to alternative approaches.

Thanks!