Trying to upgrade a web forms project that used forms auth, Web.config location headers URL authorization module, and WIF pipeline to owin (talking to AAD, via opened connect).
In short, is it FEASBILE to hook up old URL authorization web.config location headers with the owin pipeline?
Yes, we learned to disable the wif interceptors (and their session management, and protocol handlers). Yes, we learned to disable forms auth interceptor (so owing.cookies can play the same role). And, yes, we have built lots of samples, and example code.
But, we have deployed code featuring location headers (i.e. URL authorization).
MUST they go? Since perhaps URL authorization, web.config configuration thereof, and OWIN cookies really don't get along?
Wanting intuitive response. Where to place energy.