Is it possible to disable authorization on one action in an MVC controller?

Solution 1:

You can add [Authorize] To the controller class, and then add [AllowAnonymous] to the single action you don't want to be authorized. Example:

[Authorize]
public class AccountController : Controller
{
    public ActionResult Profile()
    {
        return View();
    }

    [AllowAnonymous]
    public ActionResult Login()
    {
        return View();
    }
}

Solution 2:

You can create your own version of the attribute.

There is a very similar question and there is a pretty good answer how to implement your own attribute that handles this situation.

Override Authorize Attribute in ASP.NET MVC

Btw. you could also create your controller that would have authorization by default.

Base

[Authorize]
public abstract class SecureControllerBase : Controller
{
}

Usage

public class MyController : SecureControllerBase
{
}

Solution 3:

I just did a solution using Azure ACS as the federated Identity Provider and the accepted answer didn't work for me. For those who are struggling, my solution was to bypass the security altogether for the required controller/views.

Create a new Controller/Views for those actions which you need to bypass the authorization.

And in the web.config add the following ,

 <location path="TheNameOfTheControllerYouWantToBypass">
  <system.web>
  <authorization>
    <allow users="*" />
  </authorization>
  </system.web>
 </location>