CSR uses WebAPI controller. If your OWIN setup supress the host authentication cookie (i.e. remove it), then your users will be unauthenticated when trying to access those controllers.
Sorry for the late feedback and thanks for your answer Quan!
It led me in the right direction.
To resolve my issue I had to add an additional HostAuthenticationFilter to handle cookies and bearer tokens using the following line:
I'm trying out the new beta of "Customer Service Representatives UI" but when fetching data from "https://..../EPiServer.Commerce.UI.CustomerService//countries" I get a 401 unauthorized response.
The user is a member of the CustomerServiceRepresentatives group and EPiBetaUsers and the feature-switch-config is set to "Enabled".
Is OWIN not supported for the CSR UI or have I simply done something wrong during the setup?
Have anybody else got this to work?