What OverrideAuthenticationAttribute is for?

Question

I've came across a controller method marked with System.Web.Http.OverrideAuthenticationAttribute in my current Web API project and I'm curious what this is for?

Searching in Google and Stackoverflow doesn't answer the question. MSDN documentation doesn't contain much information. It only says the following:

Represents a filter attribute that overrides authentication filters defined at a higher level.

Also, I've taken a look into the sources:

public sealed class OverrideAuthenticationAttribute : Attribute, IOverrideFilter, IFilter
{
    public bool AllowMultiple
    {
        get
        {
            return false;
        }
    }

    public Type FiltersToOverride
    {
        get
        {
            return typeof(IAuthenticationFilter);
        }
    }
}

But this doesn't shed much light.

So could anybody explain what is the purpose of using the OverrideAuthenticationAttribute? And please give some use cases of it for better understanding.

Answer 1

The OverrideAuthentication attribute is used to suppress global authentication filters, which means that all global Authentication filters (implementing IAuthenticationFilter) will be disabled when using this filter.

Let's say you have a global authentication filter called BasicAuth:

public class BasicAuthAttribute : ActionFilterAttribute, IAuthenticationFilter
{
    public void OnAuthentication(AuthenticationContext filterContext)
    { }

    public void OnAuthenticationChallenge(AuthenticationChallengeContext filterContext)
    {
        var user = filterContext.HttpContext.User;
        if (user == null || !user.Identity.IsAuthenticated)
        {
            filterContext.Result = new HttpUnauthorizedResult();
        }
    }
}

And the filter is configured as a Global filter for all controllers with this code:

public class FilterConfig
{
    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        filters.Add(new HandleErrorAttribute());
        filters.Add(new BasicAuthAttribute());
    }
}

Let's say you want to use a different authentication strategy on a single controller or controller action. In that case you could disable the global auth. filters using the OverrideAuthentication attribute, and then configure a new filter you want to use for that specific action. This is helpful when you are integrating with external login providers, and you don't want any existing Global auth filters to mess up your external login authentication.

In the code below the global authentication filters are disabled, and then the HostAuthentication filter is enabled for a single action to enable external login providers (e.g. Facebook):

// GET api/Account/ExternalLogin
[OverrideAuthentication]
[HostAuthentication(Startup.ExternalCookieAuthenticationType)]
[AllowAnonymous]
[HttpGet("ExternalLogin", RouteName = "ExternalLogin")]
public async Task<IHttpActionResult> ExternalLogin(string provider)
{
    // Auth code
}

Answer 2

OverrideAuthentication is for overriding the authentication filters configured at higher levels. Say, you have an authentication filter applied globally like this.

// Applied globally in WebApiConfig    
config.Filters.Add(new MyAuthenticationFilter());

And, you want to stop this filter from running for a specific action method or a controller. You can use OverrideAuthentication at that level, like this.

public class ValuesController : ApiController
{
    [OverrideAuthentication]
    public string Get()
    { ...  }
}

Now, in the above example, you have MyAuthenticationFilter applied globally. Say, you want to override that and run another filter, say MyAnotherAuthenticationFilter only for the Post action method. You can do something like this.

public class ValuesController : ApiController
{
    // Removes all filters applied globally or at the controller level
    [OverrideAuthentication]
    [MyAnotherAuthentication] // Puts back only MyAnotherAuthenticationFilter
    public string Post(...)
    { ... }
}

More info here. Check out the "Filter Overrides" section.