How do I auto-fail uncredentialed Web Request rather than prompting for username/password?

Question

I have a local api that is making a secondary request to an external api for authentication purposes. Before the local api does its work, it is forwarding the request headers (which should include XHR authentication headers) to the authentication api via WebRequest. If the request doesn't fail (401 unauthorized), then the local api carries out its work. If the secondary request does throw, then I return unauthorized. This is all working --- Except when I make an uncredentialed request via my local api, the browser prompts me with the native Windows username/password login popup. If I make the same uncredentialed request directly against the secondary api rather than going through my local api, the request simply fails and I never get prompted. I want my local api to exhibit this same behavior:

• Credentialed or uncredentialed request comes in.
• Pass request headers over to secondary api for authentication.
• Request returns 200 (credentials are good) or 401 (credentials are bad or missing).

I've tried playing with request.PreAuthenticate and request.Credentials , but no values that I've tried seem to keep the popup from showing up.

// Create the authorization request object
string authUrl = @"https://auth-service-url.com/api/";
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(authUrl);

// Relay any params from this request onto the outgoing authorization request
CopyHttpParameters(request);

// Retrieve the response
try {
    WebResponse response = request.GetResponse();
    // If GetResponse doesn't throw, then the user is authorized
    return Request.CreateResponse(HttpStatusCode.OK);
}
catch(Exception)
{
    // If GetResponse throws, then the user is unauthorized
    return Request.CreateResponse(HttpStatusCode.Unauthorized);
}

The CopyHttpParameters method above (based on this answer ) is not included, but it works. An incoming request with embedded XHR credentials succeeds as expected. It's the uncredentialed requests that are the problem, so for our purposes the CopyHttpParameters function call could be removed altogether. What I want is for the following try block to simply fail, without prompting the user to login. This is how the authUrl service above behaves when I hit it directly from the browser. How can I get this behavior when I make an uncredentialed WebRequest call?

Answer 1

The problem seems to be here:

return Request.CreateResponse(HttpStatusCode.Unauthorized);

This combined with windowsAuthentication in my applicationhost.config appears to be triggering the popup.

Adding the following to my Web.config seems to suppress the popup:

<location path="api">
    <system.webServer>
        <security>
            <authentication>
                <windowsAuthentication enabled="false" />
            </authentication>
        </security>
    </system.webServer>
</location>

The location block may not be necessary, but I didn't want to override the site-wide defaults just in case. This ensures that Windows authentication gets turned off just for my api route.

Now when I return Unauthorized , the request simply fails as expected.