Home

Awesome

WebApi-AuthenticationFilter

The missing AuthenticationFilterAttribute from ASP.NET Web API 2.

Motivation

ASP.NET Web API 2 has introduced a new filter interface, IAuthenticationFilter, which can be used to provide custom authentication to APIs powered by the framework. If you used the IAuthorizationFilter interface in the past to implement both authentication and authorization, now you can split those two concerns into separate classes.

But contrary to what you may expect, there's no AuthenticationFilterAttribute class to extend, as you would do for all other filters. According to Web API devs, that's by design since they don't expect the average user to use an authentication filter.

So that's what this simple project is all about: to fill that gap and provide an AuthenticationFilterAttribute class that you can use the same way you use all other Web API filters.

Installation

To install WebApi.AuthenticationFilter, run the following command in the Package Manager Console inside Visual Studio:

Install-Package WebApi.AuthenticationFilter

The package currently depends on Microsoft ASP.NET Web API 2.1 Core (≥ 5.0)

Basic usage

You can use the AuthenticationFilterAttribute class either synchronously or asynchronously:

Synchronously

using WebApi.AuthenticationFilter;

public class AuthenticationFilter : AuthenticationFilterAttribute
{
	public override void OnAuthentication(HttpAuthenticationContext context)
	{
        if (!Authenticate(context))
        {
            context.ErrorResult = new StatusCodeResult(HttpStatusCode.Unauthorized, 
                context.Request);
        }
	}

    private bool Authenticate(HttpAuthenticationContext context)
    {
        // Authenticates the request 
    }
}

Asynchronously

using WebApi.AuthenticationFilter;

public class AuthenticationFilter : AuthenticationFilterAttribute
{
	public async override Task OnAuthenticationAsync(HttpAuthenticationContext context, 
        CancellationToken cancellationToken)
	{            
        if (!await Authenticate(context))
        {
            context.ErrorResult = new StatusCodeResult(HttpStatusCode.Unauthorized, 
                context.Request);
        }            
	}

    private Task<bool> Authenticate(HttpAuthenticationContext context)
    {
        // Authenticates the request 
    }
}

Now all you have to do is register your filter, typically in the WebApiConfig.cs file:

public static class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {     
        config.Filters.Add(new AuthenticationFilter());
    }
}