Using PolicyServer.Local: Gotcha upgrading from ASP.NET Core 2.0 to 2.1

Gotcha I experienced upgrading from ASP.NET Core 2.0 to 2.1

PolicyServer.Local + ASP.NET Core 2.1? Disable AllowCombiningAuthorizeFilters

This post is more like an update from my previous post:
Dual/Multiple Authorizations Using Virtual Authentication Schemes in ASP.NET Core 2

Note that the VirtualScheme is now PolicyScheme, as you can see from here:

I am also using the free OSS version of PolicyServer, PolicyServer.Local, which is the main reason of this blog post 😉.

Why? What’s this? I’m glad you asked.

Claims are supposed to model the identity of a user, not permissions
Permissions of a user are often different depending which client or API it is using — putting them all into a single identity or access token is confusing and leads to problems. The same permission might even have a different meaning depending on who is consuming it
Permissions can change over the life time of a session, but the only way to get a new token is to make a roundtrip to the token service. This often requires some UI interaction which is not preferable
Permissions and business logic often overlap — where do you want to draw the line?

Nah, I’m sold. 😍

For more details, make sure you read the author’s awesome post:

Now ASP.NET Core 2.1 RC is out. It is supported by Microsoft and can be used in production. It is scheduled to be released around May 30th. So, what are you waiting for?

I performed the upgrade. And here is the gotcha that I think worth to share. I got an ArgumentNullException …

ArgumentNullException: Value cannot be null. 
Parameter name: policy

The problem was reported on GitHub:

As suggested there, the workaround is:

mvcOptions.AllowCombiningAuthorizeFilters = false;

Like so:

services.AddMvc(options =>
options.AllowCombiningAuthorizeFilters = false;

Problem solved.

Finally, personally, the most exciting part is, to use the new HttpClient :


If you are upgrading from ASP.NET Core 2.0 to 2.1 and you are using PolicyServer.Local, high chance that you will encounter ArgumentNullException. In that case, you should set mvcOptions.AllowCombiningAuthorizeFilters = false.

If you like what you just read, clap 👏 heartily and share it with your friends. You could possibly save their valuable time trying to solve this problem.