Enable default policy for MVC authorize attribute

[blowdart]

This would make the multiple identities scenarios easier, as a dev could set the default behaviour to use Cookie auth, which in turn would mean you wouldn't have to set cookie auth to be automatic, and filtering would work as expected when you limit to bearer.

[HaoK]

Looks like this behavior actually comes from Policy.Combine, where we add RequireAuthenticatedUser by default.

How about we just add a default policy to the options which we use for this instead? The default behavior would be the same, just requiring any authenticated user.

You could replace it via

services.ConfigureAuthorization(options => options.DefaultPolicy = new PolicyBuilder().AddWhatever().Build())

[blowdart]

Might work - can you give it a shot?

[HaoK]

3294de1