I understand what OWIN is, and it is good, and generally that Katana is a Microsoft implementation the standard in terms of the ASP.NET ecosystem.
I've also read that Katana has only so far been designed to work with WebApi and SignalR, since these take no dependency System.Web. Cool.
However, a new ASP.NET MVC 5 project template does include some Katana stuff and references Microsoft.Owin.Host.SystemWeb and that's where I get confused.
"[SystemWeb] provides an OWIN server that runs in the ASP.NET request pipeline"
http://www.asp.net/aspnet/overview/owin-and-katana/an-overview-of-project-katana
So, on IIS, does a request off the wire flow through the Owin pipeline before being routed to a WebApi action? And MVC actions, too? At what point in the pipeline does Owin sit?
Look at the following code from ChallengeResult.cs the template:
public Task<HttpResponseMessage> ExecuteAsync(CancellationToken cancellationToken)
{
Request.GetOwinContext().Authentication.Challenge(LoginProvider);
HttpResponseMessage response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
response.RequestMessage = Request;
return Task.FromResult(response);
}
This appears to be talking to two pipelines; it tells the authentication middleware on the Owin pipeline to send a 401 challenge and then also returns a 401 via the normal response messaging system.
I'm sure its simple, but I'm confused.
When you use Owin.Host.SystemWeb, you are injecting in the usual HttpModules pipeline an HttpModule meant to host the OWIN pipeline.
From the IIS/ASP.NET perspective, the OWIN pipeline will be executed in that context.
If you want to exercise finer control on what runs when, you can add specific stage markers that map to the traditional event sequence.
I recommend Prabu's article at:
http://www.asp.net/aspnet/overview/owin-and-katana/owin-middleware-in-the-iis-integrated-pipeline
It gives a very nice overview of the process.