I have been testing the WsFederation middleware but I cannot get it to work correctly with the "<authorization>"-element in web.config. The host is IIS and I use the Microsoft.Owin.Host.SystemWeb to hook the pipeline.
I always get a 401 Access Denied when accessing a protected path (without being logged in) instead of the redirect to the federation server. It does work if I use the "Authorize" functionality in MVC but I can't use that in this scenario.
So I started looking at the source and the WsFederation middleware never calls UseStageMarker which in my limited Owin-knowledge would mean that it runs on the PreExecuteRequestHandler-event which never gets called when using URL authorization.
So to get it to work I had to add the state marker myself, like this (I removed some config code from the sample, just to show the flow of the method I am calling):
//Had to add this hack:
So I started looking at a few more middleware and it's only the CookieAuthentication and the OAuthBearerAuthentication that sets up the stage marker correctly.
So my question, am I doing something wrong here or is it a bug in the middleware?