web api: request with two authorization headers ends up with none

Question

So I've made a test to see what happens when I'm making a request from postman to my api with two authorization headers (schemes basic and bearer). I've created an authorization filter attribute:

public class RestrictAccessToAssignedManagers : System.Web.Http.Filters.AuthorizationFilterAttribute
{
    public override bool AllowMultiple
    {
        get { return false; }
    }

    public override void OnAuthorization(HttpActionContext actionContext)
    {
        //Perform your logic here
        base.OnAuthorization(actionContext);
    }
}

and assigned this attribute to my controller.

The problem is that when I'm using both authorizations, in my authorization filter, the authorization header from the request is null.

Here is the request that I'm making from postman:

And here is the request from fiddler:

GET http://localhost:2328/api/values HTTP/1.1
Host: localhost:2328
Connection: keep-alive
Authorization: Basic aaa, Bearer bbb
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36
Postman-Token: 0f557417-d0b7-4ca9-7df7-1df1ea0049ad
Accept: */*
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8

My question is why using both authorization headers ends up with none to my authorization filter attribute?

Answer 1

The issue is most likely how you are retrieving the header value. Using your Fiddler raw request, I was able to see the following:

public override void OnAuthorization(HttpActionContext actionContext)
{
    var authHeaders = actionContext.Request.Headers.GetValues("Authorization");
    // authHeaders = ["Basic aaa, Bearer bbb"]

    var authHeader = actionContext.Request.Headers.Authorization;
    // authHeader = null

    base.OnAuthorization(actionContext);
}