- Looks like you are using an MVC filter instead of a Web API filter. It can be detected in the sample because it uses
HttpContextBase
. Instead use the filter from theSystem.Web.Http.Filters
namespace. - You need to override OnAuthorization or OnAuthorizationAsync on the Web API filter.
- You don't need to register a global filter and decorate your controller with it. Registering it will make it run for all controllers.
Web API filter code: https://github.com/aspnetwebstack/aspnetwebstack/blob/master/src/System.Web.Http/Filters/AuthorizationFilterAttribute.cs