Developing Custom Authentication

• CheckAuthentication – phase for checking if a user is already authenticated before all authentication mechanisms kick in.

• Auth provider interceptor tries to find a in the context of the current call.
• If the principal is found, it is returned, and the pipeline is finished.
• If the principal is not found, the provider will add a challenge to AuthenticationContext.
• At the end of the pipeline, if there is no principal, we start calling challenges in order.

• Basic auth examines the Authorization header.
• If it’s missing or invalid, or the user is not recognized, a 401 Unauthorized is sent back to the client, and the current call ends.
• The browser displays a login dialog, and after credentials are provided, it makes a new HTTP request with a proper Authorization header.
• Basic auth provider examines the new header, extracts credentials, and verifies them.