I need to support mixed (Cookie+Basic or Cookie+Digest) authentication in ASP.NET MVC5 OWIN project(s).
The goal is to approach easily adding Basic or Digest authentication to any Visual Studio project that is using Cookie or other custom authentication (by using our custom wizard).
Mixed authentication (i.e. Cookie+Basic) should work as follows:
- Try cookie authentication;
- If the above fails with error 403 (in our case, if a resource is accessed from MS Office app), instead of "403 unauthorized" response issue a Basic authentication.
The above is also called Mixed Authentication Disposition, and we have been using a custom HTTP module to achieve this in previous versions of Visual Studio, before MVC5 / OWIN.
The easiest solution that I'm going to implement now is:
- Create a copy of Microsoft.Owin.Security.Cookies middleware from Katana project sources;
- Implement fallback to Basic (or Digest) authentication in AuthenticationHandler implementation. For Basic Authentication I'm going to use implementation from Thinktecture.IdentityModel library.
- Make the project use new middleware instead of cookies middleware.
Unfortunately, a lot of classes in Microsoft implementation have "internal" access modifier, thus I find myself having to copy a lot of code from Microsoft implementation.
Any better suggestions how to implement fallback from Cookie to Basic or Digest authentication (I need both implementations) when error 403 is received?
