I am trying to integrate OpenIddict into a traditional ASP.NET app consisting of MVC as well as WebApi controllers.
Access to MVC is authenticated via FormsAuthentication, WebApi is authenticated via message handlers for Basic Auth and one for an API key.
For OpenIddict to work I have to get WebApi running on top of OWIN by adding the line app.UseWebApi() as this post suggests.
When I do that all MVC routes are also routed through the WebApi message handlers which causes a basic auth login dialog to come up when I try to access the frontend of the app (MVC route).
Without app.UseWebApi() MVC routes do not go through the handlers and the app works as expected.
Can someone explain why this is so? And, if there is the possibility to get back the desired behaviour but with keeping app.UseWebApi() activated?
What I tried:
- I commented out
app.UseWebApi()solely -> The app works again as expected. - I kept
app.UseWebApi()but took out the message handlers -> Access to MVC routes possible without basic auth coming up. - I cross-checked again that without
app.UseWebApi()the message handlers are not called and they arent.
All in all app.UseWebApi() seems to be causing that MVC requests are sent through WebApi. But why and how to shut that off?