My app is default web-api on C#, that uses Microsoft.Owin.Security.OAuth for user authentication.
I'm building my own OAuthAuthorizationServerProvider implementation. My GrantResourceOwnerCredentials method looks like:
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
//this method searches for user in database
var user = await accountService.LoginAsync(context.UserName, context.Password);
if (user != null)
{
if (user.Password == "-1")
{
//here i want to set different HTTPStatusCode for user that is not registered or has wrong password
//context.Response.StatusCode = (int)HttpStatusCode.Forbidden;
//context.Response.Context.Response.StatusCode = 403;
//context.SetError("403", "password not valid");
//context.Rejected();
return;
}
}
else if (user == null)
{
//context.Response.Headers.Add(CoreConfiguration.OwinChallengeFlag, new[] { ((int)HttpStatusCode.NotFound).ToString() });
//context.Rejected();
return;
}
//*here goes ClaimsIdentity and AuthenticationTicket creation*
So my question is: how can I customise my HttpStatusCode for response in different situations? I know that i can write my own middleware like this, but i don't believe that it is the only way.
The problem is that OAuthGrantResourceOwnerCredentialsContext have no any influence on actual HttpRespose, because, as I understand, this context can be only valid or not. Depending on this, OAuthAuthorizationServerProvider creates HttpResponse with 200 or 400 status code.
Also I know that for user validation exist ValidateClientAuthentication method, but i did not find any ways to customise StatusCode from it's OAuthValidateClientAuthenticationContext too.
Please explain me where am I wrong and whether it is possible to achieve my goal?
