mihirdilip
diff --git a/‎README.md
+10-6 b/‎README.md
+10-6
diff --git a/‎samples/SampleWebApi_2_0/SampleWebApi_2_0.csproj
+1-1 b/‎samples/SampleWebApi_2_0/SampleWebApi_2_0.csproj
+1-1
diff --git a/‎samples/SampleWebApi_2_2/SampleWebApi_2_2.csproj
+1-1 b/‎samples/SampleWebApi_2_2/SampleWebApi_2_2.csproj
+1-1
diff --git a/‎samples/SampleWebApi_3_1/SampleWebApi_3_1.csproj
+1-1 b/‎samples/SampleWebApi_3_1/SampleWebApi_3_1.csproj
+1-1
diff --git a/‎samples/SampleWebApi_3_1/Startup.cs
+14-5 b/‎samples/SampleWebApi_3_1/Startup.cs
+14-5
diff --git a/‎samples/SampleWebApi_5_0/Controllers/ValuesController.cs
+35 b/‎samples/SampleWebApi_5_0/Controllers/ValuesController.cs
+35
diff --git a/‎samples/SampleWebApi_5_0/Program.cs
+20 b/‎samples/SampleWebApi_5_0/Program.cs
+20
diff --git a/‎samples/SampleWebApi_5_0/Properties/launchSettings.json
+20 b/‎samples/SampleWebApi_5_0/Properties/launchSettings.json
+20
diff --git a/‎samples/SampleWebApi_5_0/SampleWebApi_5_0.csproj
+17 b/‎samples/SampleWebApi_5_0/SampleWebApi_5_0.csproj
+17
diff --git a/‎samples/SampleWebApi_5_0/Startup.cs
+192 b/‎samples/SampleWebApi_5_0/Startup.cs
+192
@@ -52,10 +52,10 @@ public class Startup
 		services.AddControllers();
 
 		//// By default, authentication is not challenged for every request which is ASP.NET Core's default intended behaviour.
-		//// So to challenge authentication for every requests please use below option instead of above services.AddControllers().
-		//services.AddControllers(options => 
+		//// So to challenge authentication for every requests please use below FallbackPolicy option.
+		//services.AddAuthorization(options =>
 		//{
-		//	options.Filters.Add(new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build()));
+		//	options.FallbackPolicy = new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build();
 		//});
 	}
 
@@ -153,6 +153,10 @@ Default value is false.
 When set to true, it will NOT return WWW-Authenticate response header when challenging un-authenticated requests.  
 When set to false, it will return WWW-Authenticate response header when challenging un-authenticated requests.
 
+#### IgnoreAuthenticationIfAllowAnonymous
+Default value is false.  
+If set to true, it checks if AllowAnonymous filter on controller action or metadata on the endpoint which, if found, it does not try to authenticate the request.
+
 #### Events
 The object provided by the application to process events raised by the basic authentication middleware.  
 The application may implement the interface fully, or it may create an instance of BasicEvents and assign delegates only to the events it wants to process.
@@ -187,9 +191,9 @@ Please note that, by default, with ASP.NET Core, all the requests are not challe
 However, if you want all the requests to challenge authentication by default, depending on what you are using, you can add the below options line to *ConfigureServices* method on *Startup* class.
 
 ```C#
-services.AddControllers(options => 
-{ 
-    options.Filters.Add(new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build()));
+services.AddAuthorization(options =>
+{
+    options.FallbackPolicy = new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build();
 });
 
 // OR
 
@@ -12,7 +12,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="AspNetCore.Authentication.Basic" Version="3.1.1" />
+    <PackageReference Include="AspNetCore.Authentication.Basic" Version="5.0.0" />
     <PackageReference Include="Microsoft.AspNetCore.All" Version="2.0.9" />
   </ItemGroup>
 
 
@@ -6,7 +6,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="AspNetCore.Authentication.Basic" Version="3.1.1" />
+    <PackageReference Include="AspNetCore.Authentication.Basic" Version="5.0.0" />
     <PackageReference Include="Microsoft.AspNetCore.App" />
     <PackageReference Include="Microsoft.AspNetCore.Razor.Design" Version="2.2.0" PrivateAssets="All" />
   </ItemGroup>
 
@@ -7,7 +7,7 @@
   <Import Project="..\SampleWebApi.Shared\SampleWebApi.Shared.projitems" Label="Shared" />
 
   <ItemGroup>
-    <PackageReference Include="AspNetCore.Authentication.Basic" Version="3.1.1" />
+    <PackageReference Include="AspNetCore.Authentication.Basic" Version="5.0.0" />
   </ItemGroup>
 
   <!--<ItemGroup>
 
@@ -48,6 +48,9 @@ public void ConfigureServices(IServiceCollection services)
                     //// Optional option to suppress the browser login dialog for ajax calls.
                     //options.SuppressWWWAuthenticateHeader = true;
 
+                    //// Optional option to ignore authentication if AllowAnonumous metadata/filter attribute is added to an endpoint.
+                    //options.IgnoreAuthenticationIfAllowAnonymous = true;
+
                     //// Optional events to override the basic original logic with custom logic.
                     //// Only use this if you know what you are doing at your own risk. Any of the events can be assigned. 
                     options.Events = new BasicEvents
@@ -149,13 +152,19 @@ public void ConfigureServices(IServiceCollection services)
 
             services.AddControllers(options =>
             {
-                // ALWAYS USE HTTPS (SSL) protocol in production when using Basic authentication.
+                // ALWAYS USE HTTPS (SSL) protocol in production when using ApiKey authentication.
                 //options.Filters.Add<RequireHttpsAttribute>();
 
-                // All the requests will need to be authorized. 
-                // Alternatively, add [Authorize] attribute to Controller or Action Method where necessary.
-                options.Filters.Add(new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build()));
             }); //.AddXmlSerializerFormatters()   // To enable XML along with JSON;
+
+            // All the requests will need to be authorized. 
+            // Alternatively, add [Authorize] attribute to Controller or Action Method where necessary.
+            services.AddAuthorization(options =>
+            {
+                options.FallbackPolicy = new AuthorizationPolicyBuilder()
+                    .RequireAuthenticatedUser()
+                    .Build();
+            });
         }
 
         // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
@@ -170,7 +179,7 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
 
             app.UseHttpsRedirection();
             app.UseRouting();
-            
+
             app.UseAuthentication();    // NOTE: DEFAULT TEMPLATE DOES NOT HAVE THIS, THIS LINE IS REQUIRED AND HAS TO BE ADDED!!!
 
             app.UseAuthorization();
 
@@ -0,0 +1,35 @@
+using Microsoft.AspNetCore.Mvc;
+using System.Collections.Generic;
+using System.Text;
+
+namespace SampleWebApi_5_0.Controllers
+{
+    [Route("api/[controller]")]
+	[ApiController]
+	public class ValuesController : ControllerBase
+	{
+		// GET api/values
+		[HttpGet]
+		public ActionResult<IEnumerable<string>> Get()
+		{
+			return new string[] { "value1", "value2" };
+		}
+
+		[HttpGet("claims")]
+		public ActionResult<string> Claims()
+		{
+			var sb = new StringBuilder();
+			foreach (var claim in User.Claims)
+			{
+				sb.AppendLine($"{claim.Type}: {claim.Value}");
+			}
+			return sb.ToString();
+		}
+
+		[HttpGet("forbid")]
+		public new IActionResult Forbid()
+		{
+			return base.Forbid();
+		}
+	}
+}
@@ -0,0 +1,20 @@
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.Hosting;
+
+namespace SampleWebApi_5_0
+{
+    public class Program
+    {
+        public static void Main(string[] args)
+        {
+            CreateHostBuilder(args).Build().Run();
+        }
+
+        public static IHostBuilder CreateHostBuilder(string[] args) =>
+            Host.CreateDefaultBuilder(args)
+                .ConfigureWebHostDefaults(webBuilder =>
+                {
+                    webBuilder.UseStartup<Startup>();
+                });
+    }
+}
@@ -0,0 +1,20 @@
+{
+  "iisSettings": {
+    "windowsAuthentication": false,
+    "anonymousAuthentication": true,
+    "iisExpress": {
+      "applicationUrl": "http://localhost:3920",
+      "sslPort": 44304
+    }
+  },
+  "profiles": {
+    "IIS Express": {
+      "commandName": "IISExpress",
+      "launchBrowser": true,
+      "launchUrl": "api/values",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    }
+  }
+}
@@ -0,0 +1,17 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net5.0</TargetFramework>
+  </PropertyGroup>
+
+  <Import Project="..\SampleWebApi.Shared\SampleWebApi.Shared.projitems" Label="Shared" />
+
+  <ItemGroup>
+    <PackageReference Include="AspNetCore.Authentication.Basic" Version="5.0.0" />
+  </ItemGroup>
+
+  <!--<ItemGroup>
+    <ProjectReference Include="..\..\src\AspNetCore.Authentication.Basic\AspNetCore.Authentication.Basic.csproj" />
+  </ItemGroup>-->
+  
+</Project>
@@ -0,0 +1,192 @@
+using AspNetCore.Authentication.Basic;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc.Authorization;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using SampleWebApi.Repositories;
+using SampleWebApi.Services;
+using System.Collections.Generic;
+using System.Security.Claims;
+using System.Threading.Tasks;
+
+namespace SampleWebApi_5_0
+{
+    public class Startup
+    {
+        public Startup(IConfiguration configuration)
+        {
+            Configuration = configuration;
+        }
+
+        public IConfiguration Configuration { get; }
+
+        // This method gets called by the runtime. Use this method to add services to the container.
+        public void ConfigureServices(IServiceCollection services)
+        {
+            // Add User repository to the dependency container.
+            services.AddTransient<IUserRepository, InMemoryUserRepository>();
+
+            // Add the Basic scheme authentication here..
+            // It requires Realm to be set in the options if SuppressWWWAuthenticateHeader is not set.
+            // If an implementation of IBasicUserValidationService interface is registered in the dependency register as well as OnValidateCredentials delegete on options.Events is also set then this delegate will be used instead of an implementation of IBasicUserValidationService.
+            services.AddAuthentication(BasicDefaults.AuthenticationScheme)
+
+                // The below AddBasic without type parameter will require OnValidateCredentials delegete on options.Events to be set unless an implementation of IBasicUserValidationService interface is registered in the dependency register.
+                // Please note if both the delgate and validation server are set then the delegate will be used instead of BasicUserValidationService.
+                //.AddBasic(options =>
+
+                // The below AddBasic with type parameter will add the BasicUserValidationService to the dependency register. 
+                // Please note if OnValidateCredentials delegete on options.Events is also set then this delegate will be used instead of BasicUserValidationService.
+                .AddBasic<BasicUserValidationService>(options =>
+                {
+                    options.Realm = "Sample Web API";
+
+                    //// Optional option to suppress the browser login dialog for ajax calls.
+                    //options.SuppressWWWAuthenticateHeader = true;
+
+                    //// Optional option to ignore authentication if AllowAnonumous metadata/filter attribute is added to an endpoint.
+                    //options.IgnoreAuthenticationIfAllowAnonymous = true;
+
+                    //// Optional events to override the basic original logic with custom logic.
+                    //// Only use this if you know what you are doing at your own risk. Any of the events can be assigned. 
+                    options.Events = new BasicEvents
+                    {
+
+                        //// A delegate assigned to this property will be invoked just before validating credentials. 
+                        //OnValidateCredentials = async (context) =>
+                        //{
+                        //    // custom code to handle credentials, create principal and call Success method on context.
+                        //    var userRepository = context.HttpContext.RequestServices.GetRequiredService<IUserRepository>();
+                        //    var user = await userRepository.GetUserByUsername(context.Username);
+                        //    var isValid = user != null && user.Password == context.Password;
+                        //    if (isValid)
+                        //    {
+                        //        context.Response.Headers.Add("ValidationCustomHeader", "From OnValidateCredentials");
+                        //        var claims = new[]
+                        //        {
+                        //            new Claim(ClaimTypes.NameIdentifier, context.Username, ClaimValueTypes.String, context.Options.ClaimsIssuer),
+                        //            new Claim(ClaimTypes.Name, context.Username, ClaimValueTypes.String, context.Options.ClaimsIssuer),
+                        //            new Claim("CustomClaimType", "Custom Claim Value - from OnValidateCredentials")
+                        //        };
+                        //        context.Principal = new ClaimsPrincipal(new ClaimsIdentity(claims, context.Scheme.Name));
+                        //        context.Success();
+                        //    }
+                        //    else
+                        //    {
+                        //        context.NoResult();
+                        //    }
+                        //},
+
+                        //// A delegate assigned to this property will be invoked just before validating credentials. 
+                        //// NOTE: Same as above delegate but slightly different implementation which will give same result.
+                        //OnValidateCredentials = async (context) =>
+                        //{
+                        //    // custom code to handle credentials, create principal and call Success method on context.
+                        //    var userRepository = context.HttpContext.RequestServices.GetRequiredService<IUserRepository>();
+                        //    var user = await userRepository.GetUserByUsername(context.Username);
+                        //    var isValid = user != null && user.Password == context.Password;
+                        //    if (isValid)
+                        //    {
+                        //        context.Response.Headers.Add("ValidationCustomHeader", "From OnValidateCredentials");
+                        //        var claims = new[]
+                        //        {
+                        //            new Claim("CustomClaimType", "Custom Claim Value - from OnValidateCredentials")
+                        //        };
+                        //        context.ValidationSucceeded(claims);    // claims are optional
+                        //    }
+                        //    else
+                        //    {
+                        //        context.ValidationFailed();
+                        //    }
+                        //},
+
+                        //// A delegate assigned to this property will be invoked before a challenge is sent back to the caller when handling unauthorized response.
+                        //OnHandleChallenge = async (context) =>
+                        //{
+                        //    // custom code to handle authentication challenge unauthorized response.
+                        //    context.Response.StatusCode = StatusCodes.Status401Unauthorized;
+                        //    context.Response.Headers.Add("ChallengeCustomHeader", "From OnHandleChallenge");
+                        //    await context.Response.WriteAsync("{\"CustomBody\":\"From OnHandleChallenge\"}");
+                        //    context.Handled();  // important! do not forget to call this method at the end.
+                        //},
+
+                        //// A delegate assigned to this property will be invoked if Authorization fails and results in a Forbidden response.
+                        //OnHandleForbidden = async (context) =>
+                        //{
+                        //    // custom code to handle forbidden response.
+                        //    context.Response.StatusCode = StatusCodes.Status403Forbidden;
+                        //    context.Response.Headers.Add("ForbidCustomHeader", "From OnHandleForbidden");
+                        //    await context.Response.WriteAsync("{\"CustomBody\":\"From OnHandleForbidden\"}");
+                        //    context.Handled();  // important! do not forget to call this method at the end.
+                        //},
+
+                        //// A delegate assigned to this property will be invoked when the authentication succeeds. It will not be called if OnValidateCredentials delegate is assigned.
+                        //// It can be used for adding claims, headers, etc to the response.
+                        //OnAuthenticationSucceeded = (context) =>
+                        //{
+                        //    //custom code to add extra bits to the success response.
+                        //    context.Response.Headers.Add("SuccessCustomHeader", "From OnAuthenticationSucceeded");
+                        //    var customClaims = new List<Claim>
+                        //    {
+                        //        new Claim("CustomClaimType", "Custom Claim Value - from OnAuthenticationSucceeded")
+                        //    };
+                        //    context.AddClaims(customClaims);
+                        //    //or can add like this - context.Principal.AddIdentity(new ClaimsIdentity(customClaims));
+                        //    return Task.CompletedTask;
+                        //},
+
+                        //// A delegate assigned to this property will be invoked when the authentication fails.
+                        //OnAuthenticationFailed = (context) =>
+                        //{
+                        //    // custom code to handle failed authentication.
+                        //    context.Fail("Failed to authenticate");
+                        //    return Task.CompletedTask;
+                        //}
+
+                    };
+                });
+
+            services.AddControllers(options =>
+            {
+                // ALWAYS USE HTTPS (SSL) protocol in production when using ApiKey authentication.
+                //options.Filters.Add<RequireHttpsAttribute>();
+
+            }); //.AddXmlSerializerFormatters()   // To enable XML along with JSON;
+
+            // All the requests will need to be authorized. 
+            // Alternatively, add [Authorize] attribute to Controller or Action Method where necessary.
+            services.AddAuthorization(options =>
+            {
+                options.FallbackPolicy = new AuthorizationPolicyBuilder()
+                    .RequireAuthenticatedUser()
+                    .Build();
+            });
+        }
+
+        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
+        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+        {
+            if (env.IsDevelopment())
+            {
+                app.UseDeveloperExceptionPage();
+            }
+
+            // The below order of pipeline chain is important!
+
+            app.UseHttpsRedirection();
+            app.UseRouting();
+
+            app.UseAuthentication();    // NOTE: DEFAULT TEMPLATE DOES NOT HAVE THIS, THIS LINE IS REQUIRED AND HAS TO BE ADDED!!!
+
+            app.UseAuthorization();
+            app.UseEndpoints(endpoints =>
+            {
+                endpoints.MapControllers();
+            });
+        }
+    }
+}