Developing Custom Authentication
CheckAuthentication
– phase for checking if a user is already authenticated before all authentication mechanisms kick in.
- Auth provider interceptor tries to find a in the context of the current call.
- If the principal is found, it is returned, and the pipeline is finished.
- If the principal is not found, the provider will add a challenge to
AuthenticationContext
. - At the end of the pipeline, if there is no principal, we start calling challenges in order.
- Basic auth examines the
Authorization
header. - If it’s missing or invalid, or the user is not recognized, a 401 Unauthorized is sent back to the client, and the current call ends.
- The browser displays a login dialog, and after credentials are provided, it makes a new HTTP request with a proper
Authorization
header. - Basic auth provider examines the new header, extracts credentials, and verifies them.