- Home>
- authentication middleware
Sometimes ago, I was confused about the role of the Authentication middleware in an ASP.NET core web API that does not authenticate an user. It makes sense to me that you need to use the Authentication middleware if your web application handles the authentication. Specifically, I did not understand why you need to use Authentication middleware if your app is a web API that does not handle authentication. For instance, my web API performs token validation but it does not authenticate a user. Authentication handling is part of the client application which implements OpenID implicit flow to authenticate the user and obtains authorization to access the web API. I believed I only needed the Authorization middleware so that I can annotate the endpoints I want to protect with the [Authorized]
attribute. The document states
The
Authentication Middleware and servicesUseAuthentication
method adds a single authentication middleware component, which is responsible for automatic authentication and the handling of remote authentication requests.
So if my web API does not handle authentication, why do I still need to call UseAuthentication to add the middleware?