Owin : Unauthorised webapi call returning login page rather than 401

[Yassine-Khechane]

In my mvc application, i've configured OpenIdConnect and CookieAuthentication middlewares.

When i trigger web api call from ajax, the web api, depending on the inputs data, returns Unauthorized code, the problem is that the request is captured and transformed to 302 to display the login page !

[Tratcher]

If you have them set to Active then they will trigger logins for 401 responses. Are you getting the OIDC or Cookie login page? If it's OIDC then you either need to set that to not Active, or explicity challenge Cookies and then this logic will take over:

AspNetKatana/src/Microsoft.Owin.Security.Cookies/Provider/DefaultBehavior.cs

Line 16 in b850cd8

if (IsAjaxRequest(context.Request))

[Yassine-Khechane]

Its OIDC middleware that catch the 401 and turn it to 302, when I disable it (set the authentication mode to passive), I get 401 from my api, the problem is when I request a secure page on my application, I get also a 401 instead of redirecting the user to the login page.
If I explicitly request the login page and set the challenge type (owinContext.Authentication.Challenge(authenticationProperties, "opid");) it works fine

[Yassine-Khechane]

Thanck you for your help, it works now..., i changed my custome auth attribute

public void OnAuthorization(AuthorizationContext filterContext)
{
if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
{
filterContext.HttpContext.GetOwinContext().Authentication.Challenge("oidc");
filterContext.Result = new System.Web.Mvc.HttpUnauthorizedResult();
}
....
}