Controllers and API controllers security

Hi all.

I created an ASP.NET MVC5 web site that uses ASP.NET Identity for security. It allows the use of both local accounts and social accounts. It's a pretty out-of-the-box implementation of Identity.

I want to develop a companion App for the site, so I created some Web Api controllers that expose the basic services needed by the mobile App. I configured security for the Web Api with OAuth and bearer tokens, but I'm facing a small issue when using both (the site and the Web Api): If I try to call a method that requires authorization in the Web Api as an unauthenticated user, I don't get a 401 response, but instead I get a 200 response, with the login page.

Let me try to explain myself:

• If (on the web site) I try to go to a controller that has the [Authorize] attribute, the site will redirect me to the login page, which is the expected behavior.
• If I try to go to an ApiController (using Fiddler) that has the [Authorize] attribute, I don't get a 401 response, but instead I get redirected to the site's login page, so I get a 200 response with the login's page HTML code.

Am I missing something in the configuration on my site? This is the code for myConfigureAuth method:

public void ConfigureAuth(IAppBuilder app)
{
    // Configure the db context, user manager and signin manager to use a single instance per request
    app.CreatePerOwinContext(ApplicationDbContext.Create);
    app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
    app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);

    app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

    #region OAtuh authentication for the Web Api

    // Configure the application for OAuth based flow
    PublicClientId = "self";
    OAuthOptions = new OAuthAuthorizationServerOptions
    {
        TokenEndpointPath = new PathString("/Token"),
        Provider = new ApplicationOAuthProvider(PublicClientId),
        AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
        AccessTokenExpireTimeSpan = TimeSpan.FromDays(14)
        //AllowInsecureHttp = true
    };
    // Enable the application to use bearer tokens to authenticate users
    app.UseOAuthBearerTokens(OAuthOptions);

    #endregion

    #region Cookies for the Web site

    // Enable the application to use a cookie to store information for the signed in user
    // and to use a cookie to temporarily store information about a user logging in with a 
    // third party login provider
    // Configure the sign in cookie
    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
        LoginPath = new PathString("/Account/Login"),
        Provider = new CookieAuthenticationProvider
        {
            // Enables the application to validate the security stamp when the user logs in.
            // This is a security feature which is used when you change a password 
            // or add an external login to your account.  
            OnValidateIdentity =
                SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    TimeSpan.FromMinutes(30),
                    (manager, user) =>
                        user.GenerateUserIdentityAsync(manager))
        }
    });

    #endregion

    app.UseTwitterAuthentication("00", "00");

    app.UseFacebookAuthentication("00", "00");

    app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions
    {
        ClientId = "00",
        ClientSecret = "00"
    });
}

Thanks a lot.