Returning 401 with Authenticate attribute when session.IsAuthenticated=true

I have a service which is called after a new user is registered (using a Custom CredentialsAuthProvider).

The first issue is that the user is not automatically set as authenticated once they are registered as a new user, and so I am having to set the session fields myself. Is there a better way to do this?

So then they are logged in. But then calls to subsequent REST service method are failing with 401. The method request DTO has the [Authenticate] attribute. However, if I remove the attribute and inspect the session once if gets to my code, I can see that IsAuthenticated = true.

I looked at the ServiceStack code for AuthenticateAttribute and it only seems to check that flag.

So my question. Is there anything else that I’ve missed that might cause the AuthenticateAttribute to think a session isn’t authenticated, even if that flag is set to true?


Not to answer your question but to say what I’m doing with similar concept:

Instead of having 2 authenticate mechanisms, I adopted only one and use the default authentication, so, soon the user logs in through /auth?Username=xxx&Password=yyy I fill up my CustomAuthSession with the user details as well permissions… so in the service I could simply do

public object Get(GetRequest request)
    var session = this.SessionAs<CustomAuthSession>;

I will have in session every details, including complex objects (as long as they can be serialized) that facilitates the use of the entire service…

It might not answer your question, but was just to let you know what I decided when I was in your current cross-road.

I’m doing something similar, taken from a StackOverflow question on how to manually authenticate a user.


		session.IsAuthenticated = true;
		session.UserAuthId = user.Id.ToString(CultureInfo.InvariantCulture);
		session.ProviderOAuthAccess = authrepo.GetUserAuthDetails(session.UserAuthId).ConvertAll(x => (IAuthTokens)x);

It just seems messy and a kludge.

On my original issue and after further investigation, it looks like there is another method IsAuthorized that fails if session.IsAuthenticated is false OR session.UserAuthName is blank.

Our CustomCredentialsProvider doesn’t use UserName, rather login is done with the Email field. It looks like this is what is causing the problem, so I’m also having to set session.UserAuthName to Email to make it work.

I’d appreciate any comment if anyone can think of a problem with the approach, or a better way.

I’m also not using UserName but only Email and Password… later on in the application, the user can change the DisplayName.

I use the a custom UserAuthRepository so I could, in the CreateUserAuth call do

newUser.PrimaryEmail = newUser.Email = newUser.UserName;

and remove the validation of the UserName in ValidateNewUser

if (!ValidUserNameRegEx.IsMatch(newUser.UserName))
    throw new ArgumentException("UserName contains invalid characters", "UserName");

So I could easily user UserName with an email address…

My CustomAuthUSerRepository has this base as I’m using Fluent NHibernate in the project…