AuthenticationHandler implementation questions

Jul 24, 2013 at 5:57 PM
I am trying to implement an AuthenticationHandler for doing HMAC authentication. I am trying to use the existing infrastructure classes in Microsoft.Owin.Security, so my handler is deriving from AuthenticationHandler<T>. The implementation overrides two methods so far, AuthenticateCore and ApplyResponseChallenge.

The first draft of the implementation is located here, https://gist.github.com/pcibraro/6072778

It's not working, and I have a few questions so far,
  1. The method AuthenticateCore. What's the expected behavior for this method if something is not ok about the request, should it return null ?. In addition to return null, should it be possible to write what the problem was in the Response ? It looks like returning null is not working.
  2. ApplyResponseChallenge is never called in my implementation. I have a Web API controller with the AuthorizeAttribute also configured as part of the application. The client receives a 401, which is fine, but the Challenge is never sent.
Thanks
Pablo.
Jul 26, 2013 at 3:47 PM
Hi Pablo,

how do you register your AuthHandler at the AppBuilder? Do you use a custom sub-class of AuthenticationMiddleware?

Wishes,
Manfred
Jul 26, 2013 at 3:55 PM
Hi Manfred,

Yes, I used a custom AuthenticationMiddleware class. I already solved the issue, thanks. The solution was to return an AuthenticationTicket with a null identity as part of the AuthenticateCore method.

Thanks
Pablo.
Jul 26, 2013 at 4:25 PM
Hi Pablo,

I see. Have you found out, what's the difference between returning null and returning an AuthenticationTicket with a null identity? The available implementations seems to do both (for instance see [1]).

Wishes,
Manfred

[1] http://katanaproject.codeplex.com/SourceControl/latest#src/Microsoft.Owin.Security.Facebook/FacebookAuthenticationHandler.cs
Jul 26, 2013 at 5:44 PM
Returning null only seems to be working for passive implementations (Passive = OAuth/Forms), which relies on additional http redirections. For active implementations such as basic or hmac, returning null breaks everything.

Thanks
Pablo.