AuthenticateRequest vs PostAuthenticateRequest

I get questions every now and then why there are these two events and which one to use for what. The way I like to think about it:

  • If you change the IIdentity – use AuthenticateRequest.
  • If you change the IPrincipal – use PostAuthenticateRequest.

So – the built-in auth modules (Forms/Windows) establish a user identity, meaning they set Context.User.Identity – this is done in AuthenticateRequest. Another example would be when you implement your own auth mechanism (e.g. basic authentication against custom accounts).

Adding roles to an already established identity is done in PostAuthenticateRequest. RoleManager would be an example of a built-in functionality (and read this if you are doing stuff like that).

Following these rules, you achieve the best extensibility and pluggability.

To follow Rich’ great analogy – it is like the pirate guidelines in “The Pirates of the Carribean” – you don’t have to follow these guidelines, but it would be better if you do.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s