WebApi: decide authentication scheme based on request header

Asked Sep 26 '17 at 16:23

Active Sep 26 '17 at 16:23

Viewed 178 times

I am developing an ASP.NET Web API and want to allow different authentication schemes, the authentication method should be decided per request and by a request header.

Example If the request contains the header "Bearer" I want to verify the token with Azure and determine authorization via application roles, if not I want to use Windows Authentication and determine authorization via Active Directory security groups.

Problem I have no problem getting each scheme to work in separate projects but am not able to figure out how to combine the two and select scheme based on the request headers.

Is it possible to decide authentication scheme when the request arrives, if so how?
Is it possible to perform Windows Authentication in the Owin pipeline instead of enabling it in IIS, if so how?

any pointers appreciated!

asked Sep 26 '17 at 16:23

MatiasK

I wonder how would you manage Authorization and roles this way – Victor Hugo Terceros Sep 26 '17 at 23:20
@VictorHugoTerceros I imagine that I would use a custom authorization filter, a class derived from AuthorizeAttribute. – MatiasK Sep 27 '17 at 05:17

WebApi: decide authentication scheme based on request header

0 Answers0