ASP.NET Core 1.0.1 Hosting: Basic Authentication Using Message Handlers In Web API

n order to perform authentication of Web API, we can use basic authentication. This authentication can either be performed by using HTTP handlers or by using the message handlers. Both handler types are different but message handlers are more specific to the Web APIs. In this article, we will see how we can use the message handlers to perform the basic authentication of the user.

To start with, we will create a blank solution and add a new project of type Web API. Next, we add a Web API type Controller and add a simple method GetData that will take input an integer value and return a string. So, the  Web API will look like the following.

Next, we will create a new message handler. We add a new class named MessageHandlerAuthentication and derive it from DelegatingHandler type class. This class contains a virtual method of the following type.

In Web API, before a request reaches the Controller, it has to pass through a series of message handlers. Our custom handler that we added above will also be one of the same types and will get added into the request pipeline. So, before the request reaches Controller, this handler will be executed and the SendAsync method above will contain the logic to validate the request. If successfully validated, the request will be allowed to further passed to the next handler in the pipeline, by “base.SendAsync” method call in the above method.

When the request is validated successfully, we need to attach an IPrincipal type object to the current Thread and current HttpContext. So we add a new class named CustomPrincipal and derive it from IPrincipal. We also add a new property named UserRole to keep the current users’ role in it. Now, the code will look like the following,

Next, we will add the custom validation logic. Since we are using basic authentication, we will add a method which will read the authorization header and validate the credentials provided. If the credentials are valid, then it will set the IPrincipal object in the current thread and current http context. So, the code will look like the following.

Now, we will add the message handler to the Web API pipeline, using the following code in the Register method of WebApiConfig.cs file.

The authentication mechanism is in place but we also need to make sure that the method does not get hit, if the credentials are not valid. To do this, we will add the Authorize attribute on the controller method. If the credentials are not valid, the request will not hit the method.

Run the application and make a request using Postman app. The request will first hit the message handler and if validated, will further call the method; else, it will return http status code 401 un-authorized message.


Further, in order to set the authorization based on roles, we just need to add the role names in the authorize attribute. While generating the IPrincipal object, we already provided the role name. So, when the Controller method is to be called, the role specified in authorize attribute is verified against the role we provided in the IPrincipal object.