I am applying custom authorisation on .net 7.0 API.
I am using policy based authorization with a custom requirement and a custom authorisation handler.
Ref: https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-7.0
Code is similar to the sample provided by Microsoft
Everything works fine, however while debugging, I have noticed that for each api call, the HandleRequirementAsync is being called twice.
The first time context.Resource is of the type Microsoft.AspNetCore.Http.DefaultHttpContext Only one requirement is listed against the context which is the custom requirement.
The second time it's of the type Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.AuthorizationFilterContextSealed. This time there are two requirements listed in the context - the custom requirement and {DenyAnonymousAuthorizationRequirement: Requires an authenticated user.}
As a result, the custom policy code is being evaluated twice.
What is AuthorizationFilterContextSealed? I haven't been able to find any information about it online. What could be the reason that the handler is being called twice? Can I prevent that from happening? Should I do an early exit for one of the resource type?
Thanks