OWIN Authentication Middleware for Hawk in Thinktecture.IdentityModel.45

This is continuation of my previous post Basic Authentication with ASP.NET Web API Using OWIN Middleware, where I implemented HTTP basic authentication in a custom OWIN middleware class AuthenticationMiddleware that derives from the OwinMiddleware class. However, when it comes to implementing authentication in an OWIN middleware, the recommended approach is to use the authentication micro-framework that Katana has and derive from the out-of-box middleware class AuthenticationMiddleware<T>. Of course, this special authentication middleware also derives from OwinMiddleware, like so.
Continue reading

Basic Authentication with ASP.NET Web API Using OWIN Middleware

One of the decisions to be made while implementing authentication for ASP.NET Web API is where to implement the authentication logic – message handler, authorization filter or HTTP module. Authorization filter is a bad choice for the obvious reason that it is for authorization and not authentication. For message handler versus HTTP module, a good read is the ASP.NET site itself. A rule of thumb is to use an HTTP module if Web API is going to be exclusively web-hosted and to use a message handler otherwise. One of the greatest advantages of a message handler is that it is host-agnostic but the downside is that the principal set in the message handler reverts back to the previous principal when the response leaves the web API pipeline. If you use IIS logs, for example, it will know nothing about the principal you set in the message handler. HTTP module locks you into IIS but it has it’s own advantage. Notable one being the fact that IIS/ASP.NET does recognize the principal set from the HTTP module. For host-agnostic reasons, in the book that I have written Pro ASP.NET Web API Security, I have extensively used message handlers. Continue reading