aspnet
diff --git a/‎src/Microsoft.AspNetCore.Mvc.Core/Authorization/AuthorizeFilter.cs
Lines changed: 10 additions & 24 deletions b/‎src/Microsoft.AspNetCore.Mvc.Core/Authorization/AuthorizeFilter.cs
Lines changed: 10 additions & 24 deletions
diff --git a/‎src/Microsoft.AspNetCore.Mvc.Core/DependencyInjection/MvcCoreMvcCoreBuilderExtensions.cs
Lines changed: 1 addition & 0 deletions b/‎src/Microsoft.AspNetCore.Mvc.Core/DependencyInjection/MvcCoreMvcCoreBuilderExtensions.cs
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Microsoft.AspNetCore.Mvc.Core/Microsoft.AspNetCore.Mvc.Core.csproj
Lines changed: 1 addition & 1 deletion b/‎src/Microsoft.AspNetCore.Mvc.Core/Microsoft.AspNetCore.Mvc.Core.csproj
Lines changed: 1 addition & 1 deletion
@@ -9,6 +9,7 @@
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Authorization.Policy;
 using Microsoft.AspNetCore.Mvc.Core;
 using Microsoft.AspNetCore.Mvc.Filters;
 using Microsoft.AspNetCore.Mvc.Internal;
@@ -125,41 +126,26 @@ public virtual async Task OnAuthorizationAsync(AuthorizationFilterContext contex
                 return;
             }
 
-            // Build a ClaimsPrincipal with the Policy's required authentication types
-            if (effectivePolicy.AuthenticationSchemes != null && effectivePolicy.AuthenticationSchemes.Count > 0)
-            {
-                ClaimsPrincipal newPrincipal = null;
-                for (var i = 0; i < effectivePolicy.AuthenticationSchemes.Count; i++)
-                {
-                    var scheme = effectivePolicy.AuthenticationSchemes[i];
-                    var result = await context.HttpContext.AuthenticateAsync(scheme);
-                    if (result.Succeeded)
-                    {
-                        newPrincipal = SecurityHelper.MergeUserPrincipal(newPrincipal, result.Principal);
-                    }
-                }
-                // If all schemes failed authentication, provide a default identity anyways
-                if (newPrincipal == null)
-                {
-                    newPrincipal = new ClaimsPrincipal(new ClaimsIdentity());
-                }
-                context.HttpContext.User = newPrincipal;
-            }
+            var policyEvaluator = context.HttpContext.RequestServices.GetRequiredService<IPolicyEvaluator>();
+
+            var authenticateResult = await policyEvaluator.AuthenticateAsync(effectivePolicy, context.HttpContext);
 
             // Allow Anonymous skips all authorization
             if (context.Filters.Any(item => item is IAllowAnonymousFilter))
             {
                 return;
             }
 
-            var httpContext = context.HttpContext;
-            var authService = httpContext.RequestServices.GetRequiredService<IAuthorizationService>();
+            var authorizeResult = await policyEvaluator.AuthorizeAsync(effectivePolicy, authenticateResult, context.HttpContext);
 
-            // Note: Default Anonymous User is new ClaimsPrincipal(new ClaimsIdentity())
-            if (!await authService.AuthorizeAsync(httpContext.User, context, effectivePolicy))
+            if (authorizeResult.Challenged)
             {
                 context.Result = new ChallengeResult(effectivePolicy.AuthenticationSchemes.ToArray());
             }
+            else if (authorizeResult.Forbidden)
+            {
+                context.Result = new ForbidResult(effectivePolicy.AuthenticationSchemes.ToArray());
+            }
         }
 
         IFilterMetadata IFilterFactory.CreateInstance(IServiceProvider serviceProvider)
 
@@ -92,6 +92,7 @@ internal static void AddAuthorizationServices(IServiceCollection services)
         {
             services.AddAuthenticationCore();
             services.AddAuthorization();
+            services.AddAuthorizationPolicyEvaluator();
 
             services.TryAddEnumerable(
                 ServiceDescriptor.Transient<IApplicationModelProvider, AuthorizationApplicationModelProvider>());
 
@@ -22,7 +22,7 @@ Microsoft.AspNetCore.Mvc.RouteAttribute</Description>
     <ProjectReference Include="..\Microsoft.AspNetCore.Mvc.Abstractions\Microsoft.AspNetCore.Mvc.Abstractions.csproj" />
 
     <PackageReference Include="Microsoft.AspNetCore.Authentication.Core" Version="$(AspNetCoreVersion)" />
-    <PackageReference Include="Microsoft.AspNetCore.Authorization" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.AspNetCore.Authorization.Policy" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.AspNetCore.Hosting.Abstractions" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.AspNetCore.Http" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.AspNetCore.Http.Extensions" Version="$(AspNetCoreVersion)" />
Original file line number	Diff line number	Diff line change
`@@ -92,6 +92,7 @@ internal static void AddAuthorizationServices(IServiceCollection services)`
`92`	`92`	`{`
`93`	`93`	`services.AddAuthenticationCore();`
`94`	`94`	`services.AddAuthorization();`
	`95`	`+ services.AddAuthorizationPolicyEvaluator();`
`95`	`96`
`96`	`97`	`services.TryAddEnumerable(`
`97`	`98`	`ServiceDescriptor.Transient<IApplicationModelProvider, AuthorizationApplicationModelProvider>());`