c# – 我是否必须在ApplyResponseChallengeAsync中检查响应状态

我曾经假设(是的,我知道,不好主意)只有在我真正需要应用我的挑战时才会调用ApplyResponseChallengeAsync – 例如它被描述为：

Override this method to dela(sic) with 401 challenge concerns,if an authentication scheme in question deals an authentication interaction as part of it’s request flow. (like adding a response header,or changing the 401 result to 302 of a login page or external sign-in location.)

这听起来只有在发出401时才会被调用.但是,在一些有限的测试中,我们看到一些例外如下：

System.Web.HttpException (0x80004005): Server cannot append header after HTTP headers have been sent.
at System.Web.HttpHeaderCollection.SetHeader(String name,String value,Boolean replace)
at Microsoft.Owin.Host.SystemWeb.CallHeaders.AspNetResponseHeaders.Set(String key,String[] values)
at Microsoft.Owin.Infrastructure.OwinHelpers.AppendHeader(IDictionary`2 headers,String key,String values)
at OurAuthHandler.ApplyResponseChallengeAsync()
at Microsoft.Owin.Security.Infrastructure.AuthenticationHandler.<ApplyResponseCoreAsync>d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationHandler.<TeardownAsync>d__5.MoveNext()
--- And so on

因此,想要对此进行调查,我稍微更改了方法中的代码,以便我可以使用调试器来检查发生此异常的情况：

protected override Task ApplyResponseChallengeAsync()
{
    try
    {
        foreach (var uri in Options.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris)
        {
            Response.Headers.Append("WWW-Authenticate","Bearer realm="" + uri + """);
        }
        return base.ApplyResponseChallengeAsync();
    }
    catch
    {
        throw; //Set a breakpoint here
    }
}

而且,瞧,当我的断点被击中时,我看到响应状态代码是200 / OK.

问题

所以,问题是,我本来是要自己检查状态代码,是否有一些标志我必须通过/设置某处,以便这个方法只调用401s,或者我错过了其他的东西？