I am implementing an OData endpoint on an ASP.NET application, and am working right now on the authentication part. I looked at the example at http://odata.github.io/WebApi/05-01-basic-auth/ for implementing HTTP Basic authentication. However, the example looks very weird to me, even though it the article gives an impression that this is how you implement generic custom authentication on a RESTful API.
e.g.:
It implements authentication on the stage of a pipeline where you are supposed to implement authorization. My understanding is that when OnAuthorization is called, you are supposed to already have the principal set and the only thing left to do is checking if the principal has enough access to perform the requested action.
What is the deal with that call to IsAuthorized? Isn't that supposed to be a side-effect free method?
So I basically would like to check from somebody who is more familiar with ASP.NET Web API to confirm if this is a) the correct way to do things b) a hackish but safe way to do things or c) something dangerous that should never be present in production code.
