If you make a request to a REST service and are not logged in, by default ASP .NET 5 Identity returns a 302 Redirect to login page. This is great if you are visiting the URL of a controller directly. If you make an Ajax request to a specific REST API and are not logged in however, you are also redirected to the login page and instead of the content of the API you will get the content of the login page itself. Probably without even noticing it right away.
So in instance of API calls I would prefer a 401 Unauthorized status code, e.g. $http requests using AngularJS. Here only the Ajax call itself gets redirected, but the URL of the browser remains the same. This means you won’t see that there is an “authentication problem” and you are not redirected to the login page.
In this article I will demonstrate how to restrict controller access to users that have already logged in. In the second part I will show how to do authentication using a REST Controller.
In order to restrict access to a Controller you only have to add the Authorize Attribute to Controller as shown below.
After adding this Attribute all consumers of this REST service that are not logged in will get a status code 302 redirect to the default login location. I will demonstrate how this location and behavior can be modified in a future article.