Custom authorizations in Web.API

Authorization is done in an authorization filter - that mean you derive from System.Web.Http.AuthorizeAttribute and implement the IsAuthorized method.

You don't implement authorization in a normal action filter because they run later in the pipeline than authorization filters.

You also don't implement authentication in a filter (like parsing a JWT) - this is done even earlier in an extensibility point called MessageHandler.


The method we use for is an custom ApiAuthorize attribute that inherits from System.Web.Http.AuthorizeAttribute. for example:

public class ApiAuthorizeAttribute : AuthorizeAttribute
{
    readonly CreditPointModelContext _ctx = new CreditPointModelContext();

    public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
    {
        if(Authorize(actionContext))
        {
            return;
        }
        HandleUnauthorizedRequest(actionContext);
    }

    protected override void HandleUnauthorizedRequest(System.Web.Http.Controllers.HttpActionContext actionContext)
    {
        var challengeMessage = new System.Net.Http.HttpResponseMessage(System.Net.HttpStatusCode.Unauthorized);
        challengeMessage.Headers.Add("WWW-Authenticate", "Basic");
        throw new HttpResponseException(challengeMessage);

    }

    private bool Authorize(System.Web.Http.Controllers.HttpActionContext actionContext)
    {
        try
        {
            //boolean logic to determine if you are authorized.  
            //We check for a valid token in the request header or cookie.


        }
        catch (Exception)
        {
            return false;
        }
    }
}