Closed leastprivilege closed 11 years ago
It makes sense. I will make this change too. I am wondering also what would be the correct approach if you have multiple auth schemes for the same service. For example, you expose the same service for .NET clients and Browsers (using ajax). For the first ones, you use Hawk, but for the browsers you rely on the user being authenticated in the web app with form authentication.
Follow this pattern:
The handler searches to a credential it understands. If found try to authenticate. If that succeeds set a principal. If not error out. If the handler does not find a credential - do nothing and inherit the (anonymous) principal that came from the host.
The rest is sorted by [Authorize].
When you have factored out the implementation, i can integrate your hawk impl with Thinktecture.IdentityModel which is a framework for multiple authentication methods.
https://github.com/thinktecture/Thinktecture.IdentityModel.45
Done
You enforce an authorization header with credentials for every request.
The controller could have [AllowAnonymous] though.