How to skip Basic Authentication on certain conditions in self-hosted server?

Question

• I have an ASP.NET web application, let's call it Web App A, that is self-hosted using OWIN and NancyFX.
• Web App A uses Basic Authentication, which is set up in CustomBootstrapper.cs like this:

pipelines.EnableBasicAuthentication(new BasicAuthenticationConfiguration(
    container.Resolve<IUserValidator>(),
    "MySpecificRealm"));

• After querying the user for the username and password, Web App A calls an authentication REST API to validate the credentials and return a security token if they are valid.
• I am being asked to make a subset of that app, let's call this subset Web App B, when a valid security token is specified in the URL instead of prompting for the credentials.
• The following picture might help explain this:
• Per the usual, there are various modules in Web App A that call:

this.RequiresAuthentication();

How can I bypass the authentication when a valid security token is passed as a parameter in the URL?

Answer 1

1. You need to either add a parameter to a config file or use a conditional compilation symbol. Either of these will set a flag that you can then check to bypass the wiring up of the Basic Authentication in the pipelines and possibly the this.RequiresAuthentication().
2. For those Nancy Modules that require authentication, add a required URL parameter to the incoming request for the caller to supply the security token.
3. You are going to need the REST API to have a call that validates the security token, and you will need to call it and receive back the userName so you can create your IUserIndentity.