302 Redirect on 401

We have just discovered something we were not aware of which I would like to confirm as the default behaviour for a SS service.

Our service is pretty standard and we want to serve JSON responses by default. It has the AuthFeature configured with a custom AuthProvider that does PreAuthenticate with a bearer token in the Authorization header, like this one:

Authorization: Bearer XXXXXXXXXXXXXX.....

AuthFeature Configured like this

            appHost.Plugins.Add(new AuthFeature(() => new AuthUserSession(), new BearerTokenAuthProvider())
                IncludeAssignRoleServices = false,
                IncludeRegistrationService = false,

An external partner of ours calling our API: /api/banana. They first obtain a token from another API call to another service, and then they setup the Authorization header as above like this:

Authorization: bearer XXXXXXXXXXX....

The other thing they do is set the following header:

Accept: */*

They get a:

302 http://server/api/login?redirect=http://server/api/banana

With an HTML response

Now, if they change the Accept header to:

Accept: application/json

Or they remove the Accept header, they get:

401 and JSON response

Incidentally, if they change the Authorization header to:

Authorization: Bearer XXXXXXXXXXX....

(Notice the case of the Bearer prefix)
They get the JSON response from the API and a 200.
So, we have a bug in our AuthProvider that needs to deal with “Bearer” as well as “bearer” but that is on us.

Now, I have no control over what our client sends and I dont understand why they send:

 Accept: */*

Or what they intend by that, but we sure as hell dont want to be sending back a 302 redirect to a login endpoint we dont even have. And certainly not with a HTML response. We want to assume application/json response in all cases unles they ask for HTML explicitly.

So my question is: is this default behaviour? Is it intended to work like this? Why does Accept: */* result in a HTML response? If so, how would I have to configure my service to not redirect to a HTML login page? And just do the standard 401 and application/json response?

The AuthFeature by default includes a HtmlRedirect that defaults to /login route in order for unauthorized web requests to be redirected to a useful login page instead of end users seeing a Serialized Exception they have no idea about.

The Accept: */* says I accept anything which by default assumes a HTML response which treats it as a HTML Request and why the HtmlRedirect is applied for unauthorized requests.

You can remove the pre-defined HtmlRedirect with:

appHost.Plugins.Add(new AuthFeature(..) {
    HtmlRedirect = null

And if your Service doesn’t return HTML pages, you can change the default ContentType with:

SetConfig(new HostConfig {
    DefaultContentType = MimeTypes.Json,

Great, thanks.
Makes sense.