How To Set Up and Use Authentication Filters in ASP.Net Web API 2

Over the years, ASP.Net has been recognized as one of the most trusted frameworks for building high-performing web applications. Plus, there is the ASP.NET Web API which serves as yet another impressive framework for building web APIs on top of the already popular .NET framework. With HTTP serving as a powerful platform for building APIs which expose data and services, it is essential for you to authenticate every HTTP request at the earliest. Fortunately, we have the authentication filters which make this possible. Today, through this tutorial, I intend to deliver some useful details about setting up and using Authentication filters in ASP.NET.

Authentication Filters in ASP.Net Web API 2

What exactly is an Authentication Filter?

Authentication filter is basically a component which authenticates an HTTP request. Supported by both, MVC5 and Web API 2, it differs slightly in terms of naming conventions applicable to the filter interface. With an authentication filter, you can easily set up an authentication scheme for individual actions or controllers. This would means that your web application would be able to support multiple authentication mechanisms available for different HTTP resources.
Authentication Filters in ASP.Net Web API 2

Setting up an Authentication Filter

An authentication filter can be easily applied on a per-action, per-controller or on a global basis, to all the available Web API controllers.
Now, in order to apply an authentication filter to a web controller, just add the filter attribute to the controller class. Below is the code snippet which sets [IdentityBasicAuthentication] filter on a controller class, which further enables Basic Authentication for all Web API controller actions:

Next, in order to apply the [IdentityBasicAuthentication] filter to controller’s Post method, use the below code snippet:

Additionally, for applying the filter to all Web API controllers, just add it to the GlobalConfiguration.Filters as shown in below code snippet:

A closer look at implementing Web API Authentication Filters

You must be aware of the fact that in Web API, authentication filters implement the interface named as: System.Web.Http.Filters.IAuthenticationFilter. These filters are also inherited from the System.Attribute, so as to be applied in the form of attributes.
The two methods included within the iAuthenticationFilter interface are:

    • AuthenticateAsync– this method authenticates the HTTP request by validating the available credentials
    • ChallengeAsync– this method adds an authentication challenge to HTTP response, if required

Both the above method correspond to authentication flow which is being defined in RFC 2612 and RFC 2617 as explained within the below two pointers:

  • The client will send all the credentials within the Authentication header after receiving a 401 response(i.e. An unauthorized response) from the web server.
  • If client doesn’t send any credentials to the server, the latter would return a 401(unauthorized) response which includes a Www-Authenticate header containing one or more challenges wherein each challenge will specify the authentication scheme that’s been recognized by the server.

Now, here’s a look at the steps which mark the handling of authentication using Authentication filters in Web API:

  • Step 1– Web API will create a list of all available authentication filters for the action that needs to be invoked. The list of authentication filters include controller scope, action scope and global scope.
  • Step 2– As per the second step, Web API will call AuthenticateAsync for every filter available within the list of authentication filters populated above. Here, each authentication filter will be able to validate the credentials in the respective HTTP request, following by creating IPrincipal and attaching the same to the request. Here, if a filter tends to trigger an error, the proceeding steps wouldn’t be applicable.
  • Step 3– Assuming that there’s no error in validating the credentials, Web API will call the ChallengeAsync method of every authentication filter. Now, every authentication filter will use this method for adding a challenge to the response.

Setting an Error Result

If the HTTP request credentials are found to be invalid, the authentication filter will set context.ErrorResult to the IHttpActionResult which will be creating an error response. Typically, a basic authentication sample already includes an AuthenticationFailureResult class which is used for handling error results during HTTP validation. The code snippet associated with the same is shown below:

That’s it!


With authentication being considered as a cornerstone of web application security, it is essential to use authentication filters that can establish a user’s identity by validating the entered credentials. I’m sure the details covered in this post would motivate you to pay special heed to the significance of having a secured Web API which authenticates HTTP requests on the basis of identity that’s been established.

Amanda Cline

Amanda Cline has been working as a professional ASP.NET developer with Xicom Technologies Ltd- a leading .Net Development Outsourcing Company offering a range of software solutions like IT Outsourcing Services, Custom Software Development and Web Application Development Services . She has been an avid writer and loves writing interesting and informative stuff on web and mobile applications.

Latest posts by Amanda Cline (see all)

Related Post


  1. Hi,
    Awesome! Article in this post i learn many thing Thanks For Sharing keep up it
    have a nice day


  2. Hi,

    Amazing post!
    Thanks for sharing with us, I really like your blog codingbyte.

    Thanks a lot


  3. Great post, but for me there is small confusing thing, on the third picture after Authentication filter step should be applied Authorization filter before Action method. Am I right or I didn’t understand properly.


Leave a Reply

Your email address will not be published. Required fields are marked *