Alternative to use HttpContext in System.Web for Owin

ASP.NET authentication is now based on OWIN middleware that can be used on any OWIN-based host. ASP.NET Identity does not have any dependency on System.Web.

I have an AuthorizeAttribute filter where I need to get the current user and add some properties to be retrieved later by action controllers.

The problem is that I have to use the HttpContext which belongs to System.Web. Is there any alternative of HttpContext for Owin?

public class WebApiAuthorizeAttribute : AuthorizeAttribute 
    public override async Task OnAuthorizationAsync(HttpActionContext actionContext, CancellationToken cancellationToken)

        Guid userId = new Guid(HttpContext.Current.User.Identity.GetUserId());

        ApplicationUserManager manager = new ApplicationUserManager(new ApplicationUserStore(new ApplicationDbContext())) { PasswordHasher = new CustomPasswordHasher() };
        ApplicationUser user = await manager.FindByIdAsync(userId);

        actionContext.Request.Properties.Add("userId", user.LegacyUserId);

Note: I found this question, which seems a duplicate, but asks for a solution working for NancyFx project, which is not valid for me.


Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

You can use OwinRequestScopeContext. Which is doing exactly what you are looking for.

Method 2

This article gives me the solution:

Web API 2 introduced a new
RequestContext class that contains a Principal property. This is now
the proper location to look for the identity of the caller. This
replaces the prior mechanisms of Thread.CurrentPrincipal and/or
HttpContext.User. This is also what you would assign to if you are
writing code to authenticate the caller in Web API.

So just modifying the line:

Guid userId = new Guid(HttpContext.Current.User.Identity.GetUserId());

Guid userId = new Guid(actionContext.RequestContext.Principal.Identity.GetUserId());

now, the reference to System.Web is not needed anymore.

Method 3

After reading this. It seems to me that extending AuthorizeAttribute is still the way to go.
However, since HttpContext is IIS based, we want to avoid using it from now on.

There is a HttpActionContext got passed in. Then we could use




to get to the identity. All three will get you the same identity object.

and yes, OwinContext is available this way too.

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x