If you are using IdentityModel and the AuthenticationHandler to secure your Web APIs – we have some good and some bad news.
The good news is, that IdentityModel continues to work in Web API v2 when using the “standard” hosting model (ASP.NET).
Unfortunately, and due to a breaking change, it won’t work anymore when you switch to OWIN/Katana hosting. The reason for that is that ApiController.User is not backed by Thread.CurrentPrincipal anymore (but the new RequestContext). All code relying on .User (or AuthorizeAttribute) will break.
Many of the things that AuthenticationHandler does for you can now be established with the new Katana authentication middleware, e.g. parsing and validation JWTs. Some other things are still missing.
Let us know if you need AuthenticationHandler in an OWIN environment, so we can find out if that is an issue for many people or not (and provide a solution for it).
Filed under: IdentityModel, Katana, WebAPI
