c# - SuppressDefaultHostAuthentication in WebApi.Owin also suppressing authentication outside webapi

Question

I am running into a problem with a solution where I used parts from the Visual Studio SPA template for having the Account Controller in WebApi with Oauth Authentication.

  app.UseOAuthBearerTokens(OAuthOptions);

Then I in the owin webapi registration is doing

config.SuppressDefaultHostAuthentication(); 

but this also supresses the default cookie authentication outside the webapi environment. Is this the intention. If so, how can I set up WebApi to supress cookie authentication but its still active accross the environment for other requests?

Answer 1

It seems that it is a good practice, especially when you mix an OWIN-hosted app and a regular one on the same IIS dir, to setup WebApi with the app.Map.

    public void Configuration(IAppBuilder app)
    {
        var configuration = WebApiConfiguration.HttpConfiguration;
        app.Map("/api", inner =>
        {
            inner.UseWebApi(configuration);
        });
    }

I had all my controllers configured with a "api" prefix route, and I just moved that to the map function instead. Now webapi is running isolated and it works out with the rest of my application. Thanks @PinpointTownes for pointing me in this direction.