Requiring multiple authentication schemes with Owin and WebApi and target class access

We need to secure our WebApi services with two separate authentication schemes, but we need both of them to be needed.

Here's the script:

We have an internal service registry where service users register for an API key and shared secret. They are then used in a standard template to create an HMAC to be sent with every call to the web service. These API keys are essentially a software system.

However, at the application level, we also want to authenticate our users separately. We are using the OAuthAuthorizationServerProvider to connect to LDAP to authenticate the user, push some roles out of our application from within, and then create / return a bearer token.

I first tried to create a custom AuthenticationHandler Owin middleware to implement the HMAC schema, but that didn't work as I wanted. In this case, if HMAC or OAuth are authenticated, the user has been granted access.

What I was doing in the interim changed the HMAC logic to be more general OwinMiddleware. Here's a general idea of ​​what I am doing:

public class HMACMiddleware : OwinMiddleware
{
    private HMACOptions _HMACOptions;

    public HMACMiddleware(OwinMiddleware next, IAppBuilder app, HMACOptions options) : base(next)
    {
        _HMACOptions = options;
    }

    public override Task Invoke(IOwinContext context)
    {
        // Pull headers use for HMAC generation, process them and handle any errors

        // Authenticate with the external service registry
        string authFailureReason;
        var authenticated = _HMACOptions.AuthStrategy.DoAuthentication(requestData, out authFailureReason);

        if(authenticated)
        {
            return Next.Invoke(context);
        } 
        else 
        {
            context.response.StatusCode = 401;
            contextresponse.ReasonPhrase = "An error occurred authenticating via HMAC";

            return context.response.WriteAsync(authFailureReason);
        }
    }
}

      

        
        
        
      

    

If HMAC auth doesn't work, I short-circuit the Owin pipeline and return immediately.

There are a few things I don't like about this implementation in its current form:

• This applies to all Owin queries. What I really want this to be applicable is every WebAPI route. This way we can provide WebApi help pages that do not need authentication against
• Is this really the right way to handle this? It looks like it should be AuthenticationHandler, but I couldn't figure out how to do it, even if another authentication scheme is authenticated

Side question . We have a WebApi version of this as a DelegatingHandler. This version can access the target method (IE: if the route is in / api / users / 1, we can access the GET method for UserController) using the ControllerSelector and actionSelector from the webApi GlobalConfiguration. We can then test this method for custom attributes, which might affect the call we make in the HMAC Authenticator. Is there a way to do something like this in Owin?