Populate ClaimsPrincipal when no auth key provided

Author: ConnorMcMahon

sample/CSharp/HttpTrigger-Identities/function.json

@@ -4,6 +4,7 @@
             "type": "httpTrigger",
             "name": "req",
             "direction": "in",
+            "authLevel": "anonymous",
             "methods": [ "get" ]
         },
         {

src/WebJobs.Script.WebHost/Security/Authentication/Keys/AuthenticationLevelHandler.cs

@@ -44,6 +44,17 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
             // Get the authorization level for the current request
             (string name, AuthorizationLevel requestAuthorizationLevel) = await GetAuthorizationKeyInfoAsync(Context.Request, _secretManagerProvider);
 
+            List<ClaimsIdentity> claimsIdentities = new List<ClaimsIdentity>();
+
+            if (_isEasyAuthEnabled)
+            {
+                ClaimsIdentity easyAuthIdentity = Context.Request.GetAppServiceIdentity();
+                if (easyAuthIdentity != null)
+                {
+                    claimsIdentities.Add(easyAuthIdentity);
+                }
+            }
+
             if (requestAuthorizationLevel != AuthorizationLevel.Anonymous)
             {
                 var claims = new List<Claim>
@@ -56,18 +67,12 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                     claims.Add(new Claim(SecurityConstants.AuthLevelKeyNameClaimType, name));
                 }
 
-                List<ClaimsIdentity> claimsIdentities = new List<ClaimsIdentity>();
                 var keyIdentity = new ClaimsIdentity(claims, AuthLevelAuthenticationDefaults.AuthenticationScheme);
-                if (_isEasyAuthEnabled)
-                {
-                    ClaimsIdentity easyAuthIdentity = Context.Request.GetAppServiceIdentity();
-                    if (easyAuthIdentity != null)
-                    {
-                        claimsIdentities.Add(easyAuthIdentity);
-                    }
-                }
                 claimsIdentities.Add(keyIdentity);
+            }
 
+            if (claimsIdentities.Count > 0)
+            {
                 return AuthenticateResult.Success(new AuthenticationTicket(new ClaimsPrincipal(claimsIdentities), Scheme.Name));
             }
             else

test/WebJobs.Script.Tests.Integration/WebHostEndToEnd/SamplesEndToEndTests_CSharp.cs

@@ -684,6 +684,29 @@ public async Task HttpTrigger_Identities_Succeeds()
             }
         }
 
+        [Fact]
+        public async Task HttpTrigger_Identities_AnonymousAccessSucceeds()
+        {
+            var vars = new Dictionary<string, string>
+            {
+                { LanguageWorkerConstants.FunctionWorkerRuntimeSettingName, LanguageWorkerConstants.DotNetLanguageWorkerName},
+                { "WEBSITE_AUTH_ENABLED", "TRUE"}
+            };
+            using (var env = new TestScopedEnvironmentVariable(vars))
+            {
+                string uri = $"api/httptrigger-identities";
+                HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, uri);
+
+                MockEasyAuth(request, "facebook", "Connor McMahon", "10241897674253170");
+
+                HttpResponseMessage response = await this._fixture.Host.HttpClient.SendAsync(request);
+                Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+                string responseContent = await response.Content.ReadAsStringAsync();
+                string[] identityStrings = StripBookendQuotations(responseContent).Split(';');
+                Assert.Equal("Identity: (facebook, Connor McMahon, 10241897674253170)", identityStrings[0]);
+            }
+        }
+
         [Fact]
         public async Task HttpTrigger_Identities_BlocksSpoofedEasyAuthIdentity()
         {