How to Setup & Use Authentication Filters in ASP.Net

QArea Expert by QArea Expert on October 14, 2014

How to Setup & Use Authentication Filters in ASP.Net
Reading Time: 3 minutes

Authentication filters are an integral part of ASP.Net programming. These filters authenticate any type of HTTP request that is sent out of your program or computer. Authentication filters are supported by both web based API as well as MVC 5. You can set authentication tasks for individual controllers as well as actions on your file or folder. You can allow your app to support the various authentications that are conducted in different manners.

How to Setup Authentication Filters

You can setup the authentication filters individually for the various controllers, or you can setup the whole thing for a particular web based API. If you wish to create an authentication filter for a single controller then you will need to base out the following code along with the [IdentityBasisAuthentication] filter applied on the controller class.

[IdentityBasisAuthentication] // Enable Basic authentication for this controller.
[Authorize] // Require authenticated requests.
Public class Homecontroller : Apicontroller
   Public IHttpActionResult Get() {...}
   Public IHttpActionResult Post() {...}

If you want to apply the authentication filter for a single controller action, add the action to the filter. You will need to use the following code along with [IdentityBasisAuthentication]

[Authorize] // Require authenticated requests.
Public class Homecontroller : ApiController
   Public IHttpActionResult Get () {...}
   [IdentityBasicAuthentication] // Enable Basic authentication for this action.
   Public IHttpActionResult Post() {...}

If you want to add the code to web API controllers, add the following code to GlobalConfiguration.Filters

Public static class WebApiConfig
       Public static void Register(HttpConfiguration config)
                 Config.Filters.Add(new IdentityBasicAuthenticationAttributes());
                 // Other configuration code not shown..

How to Implement Web API Authentication Filter?

Let’s assume you don’t want to implement the authentication filter for each controller; instead you want to implement the authentication filters for the whole web based API.

You will need to implement the following interface in the beginning


This particular filter should inherit attributes from system.attribute

You can apply the iauthenticationfilter in the following two ways:

  • AuthenticateASync: Here the credentials will be validated before accepting the request
  • ChallengeASync: In case needed, a challenge will be sent to every HTTP request

Once the client receives a 401 unauthorized response, the client will send an authorization header. Of course, it is not necessary for the client to submit a request after the 401 response. Clients can send in their requests after any request that has been attempted towards them.

In case the credentials entered by the client are not accepted by the server, it will return with the 401 response. The authenticate-header which comes with this response will then include one or more than one challenges. In each challenge there would be an authentication scheme included which the server will eventually recognize.

It is not necessary for the logged in server to recognize the request and send in the response. It is possible that the server will not return the 401 value. Instead it is being returned by anonymous request.

How does this process work? The client will first send in an anonymous request to the server. To this request, the server will return the 401 value. When the 401 is received by the client, it will send in the credentials to the server. It is a bidirectional process.

Let’s understand how the two methods defined earlier in this section are implemented.

Authenticate ASync Method

In this method the request sent by the client is authenticated by the server.

Task AuthenticateAsync(
HttpAuthenticationContet context,
CancellationToken cancellationToken

The three tasks that this method will perform include

  1. No-op
  2. Creating iPrincipal and setting it for request
  3. Setting an error result

In this method the approach will be initiated by a way to look for credentials. If there are no credentials then the server will do nothing. If there are some credentials that are not recognized, the server will do nothing but will send a No-op to the client. In case of bad credentials, 401 will be sent to the client. Finally the client will create the iprincipal and set context.principal.

Challenge ASync Method

Here authentication challenges are added to the response that the server sends to the client.

Task ChallengeASync(
                HttpAuthenticationChallengeContext context,
                CancellationToken cancellationtoken

Whenever you call challengeasync, iHTTPActionResult present in the context.Result will be sent as HTTP response.

This is how the method works. Create a result that will work as a HTTP response. Once such responses are created, study and examine the result. Finally, add a challenge to the response.