Simple Injector Registration ASP.NET identity & Web API

Question

There is some amount of confusion regarding usage of Asp .net and Identity when put together with Simple Injector. There are some articles about how OWIN is anti-pattern and how bad the asp .net basic template is!!

Regardless, the final issue as I understand is to make sure we inject the right dependencies while adhering to the OWIN request pipeline when a user identity token is being generated.

I am possibly not yet well versed with Simple Injector or OWIN, but I tried manually registering AccountController by overriding the simple injector registration.

Can some one confirm if the following code is correct? I can see that it works in Visual studio with Register and Login. I can get tokens and authenticate myself for different logins with the same process. But want to be sure if this is correct before using in a project.

public partial class Startup
{
    public void Configuration(IAppBuilder app)
    {
        var container = new Container();
        container.Options.DefaultScopedLifestyle = new WebApiRequestLifestyle();
        container.RegisterWebApiControllers(GlobalConfiguration.Configuration);
        container.Options.AllowOverridingRegistrations = true;
        ApplicationUserManager um = new ApplicationUserManager(
            new UserStore<ApplicationUser>(new ApplicationDbContext()));
        SecureDataFormat<AuthenticationTicket> sdt = 
            new SecureDataFormat<AuthenticationTicket>(
                new TicketSerializer(), 
                new DpapiDataProtectionProvider().Create("ASP.NET Identity"), 
                TextEncodings.Base64);
        container.Register<AccountController>(
            () => new AccountController(um, sdt), Lifestyle.Singleton);
        container.Options.AllowOverridingRegistrations = false;

        container.Verify();
        app.Use(async (context, next) =>
        {
            using (container.BeginExecutionContextScope())
            {
                await next();
            }
        });
        GlobalConfiguration.Configuration.DependencyResolver =
            new SimpleInjectorWebApiDependencyResolver(container);
        ConfigureAuth(app);
    }

Answer 1

I see one error and that is that both your ApplicationDbContext and AccountController are becoming singletons. This might be something you wont notice during development, but this will cause problems in production. MVC will throw an exception when you reuse the same controller instance on a new request and the data in DbContext will become stale very quickly and a DbContext is not thread-safe. Instead, you can do the following:

var sdt = new SecureDataFormat<AuthenticationTicket>(
    new TicketSerializer(), 
    new DpapiDataProtectionProvider().Create("ASP.NET Identity"), 
    TextEncodings.Base64);

container.Options.AllowOverridingRegistrations = true;

container.Register<AccountController>(() => 
    new AccountController(
        new ApplicationUserManager(
            new UserStore<ApplicationUser>(new ApplicationDbContext())), 
        sdt),
    Lifestyle.Scoped);

container.Options.AllowOverridingRegistrations = false;