diff --git a/NuGetGallery.sln b/NuGetGallery.sln
index cbf88d09bd..d9cb388b81 100644
--- a/NuGetGallery.sln
+++ b/NuGetGallery.sln
@@ -1,7 +1,7 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio 2013
-VisualStudioVersion = 12.0.20827.3
+VisualStudioVersion = 12.0.21005.1
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = ".nuget", ".nuget", "{96E4AFF8-D3A1-4102-ADCF-05F186F916A9}"
 	ProjectSection(SolutionItems) = preProject
@@ -36,10 +36,6 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "NuGetGallery.FunctionalTest
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "NuGetGallery.FunctionalTests.Helpers", "tests\NuGetGallery.FunctionalTests.Helpers\NuGetGallery.FunctionalTests.Helpers.csproj", "{8FB56455-C688-44AE-95F1-48FFCB199BFE}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "NuGetGallery.Monitoring", "src\NuGetGallery.Monitoring\NuGetGallery.Monitoring.csproj", "{DFF0089E-4918-4A12-992B-B9DD2C070B0F}"
-EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "NuGetGallery.Monitoring.Azure", "src\NuGetGallery.Monitoring.Azure\NuGetGallery.Monitoring.Azure.csproj", "{6569F5ED-1DB6-433C-8C7F-E96C7B8E54BB}"
-EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|x64 = Debug|x64
@@ -136,42 +132,6 @@ Global
 		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Release|x64.Build.0 = Release|Any CPU
 		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Release|x86.ActiveCfg = Release|Any CPU
 		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Release|x86.Build.0 = Release|Any CPU
-		{DFF0089E-4918-4A12-992B-B9DD2C070B0F}.Debug|x64.ActiveCfg = Debug|Any CPU
-		{DFF0089E-4918-4A12-992B-B9DD2C070B0F}.Debug|x64.Build.0 = Debug|Any CPU
-		{DFF0089E-4918-4A12-992B-B9DD2C070B0F}.Debug|x86.ActiveCfg = Debug|Any CPU
-		{DFF0089E-4918-4A12-992B-B9DD2C070B0F}.Debug|x86.Build.0 = Debug|Any CPU
-		{DFF0089E-4918-4A12-992B-B9DD2C070B0F}.Release|x64.ActiveCfg = Release|Any CPU
-		{DFF0089E-4918-4A12-992B-B9DD2C070B0F}.Release|x64.Build.0 = Release|Any CPU
-		{DFF0089E-4918-4A12-992B-B9DD2C070B0F}.Release|x86.ActiveCfg = Release|Any CPU
-		{DFF0089E-4918-4A12-992B-B9DD2C070B0F}.Release|x86.Build.0 = Release|Any CPU
-		{6569F5ED-1DB6-433C-8C7F-E96C7B8E54BB}.Debug|x64.ActiveCfg = Debug|Any CPU
-		{6569F5ED-1DB6-433C-8C7F-E96C7B8E54BB}.Debug|x64.Build.0 = Debug|Any CPU
-		{6569F5ED-1DB6-433C-8C7F-E96C7B8E54BB}.Debug|x86.ActiveCfg = Debug|Any CPU
-		{6569F5ED-1DB6-433C-8C7F-E96C7B8E54BB}.Debug|x86.Build.0 = Debug|Any CPU
-		{6569F5ED-1DB6-433C-8C7F-E96C7B8E54BB}.Release|x64.ActiveCfg = Release|Any CPU
-		{6569F5ED-1DB6-433C-8C7F-E96C7B8E54BB}.Release|x64.Build.0 = Release|Any CPU
-		{6569F5ED-1DB6-433C-8C7F-E96C7B8E54BB}.Release|x86.ActiveCfg = Release|Any CPU
-		{6569F5ED-1DB6-433C-8C7F-E96C7B8E54BB}.Release|x86.Build.0 = Release|Any CPU
-		{0A6B1A52-4D26-4946-9DDD-416D01A1ADBF}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{0A6B1A52-4D26-4946-9DDD-416D01A1ADBF}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{0A6B1A52-4D26-4946-9DDD-416D01A1ADBF}.Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU
-		{0A6B1A52-4D26-4946-9DDD-416D01A1ADBF}.Debug|Mixed Platforms.Build.0 = Debug|Any CPU
-		{0A6B1A52-4D26-4946-9DDD-416D01A1ADBF}.Debug|x86.ActiveCfg = Debug|Any CPU
-		{0A6B1A52-4D26-4946-9DDD-416D01A1ADBF}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{0A6B1A52-4D26-4946-9DDD-416D01A1ADBF}.Release|Any CPU.Build.0 = Release|Any CPU
-		{0A6B1A52-4D26-4946-9DDD-416D01A1ADBF}.Release|Mixed Platforms.ActiveCfg = Release|Any CPU
-		{0A6B1A52-4D26-4946-9DDD-416D01A1ADBF}.Release|Mixed Platforms.Build.0 = Release|Any CPU
-		{0A6B1A52-4D26-4946-9DDD-416D01A1ADBF}.Release|x86.ActiveCfg = Release|Any CPU
-		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU
-		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Debug|Mixed Platforms.Build.0 = Debug|Any CPU
-		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Debug|x86.ActiveCfg = Debug|Any CPU
-		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Release|Any CPU.Build.0 = Release|Any CPU
-		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Release|Mixed Platforms.ActiveCfg = Release|Any CPU
-		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Release|Mixed Platforms.Build.0 = Release|Any CPU
-		{8FB56455-C688-44AE-95F1-48FFCB199BFE}.Release|x86.ActiveCfg = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -184,7 +144,5 @@ Global
 		{4405C24C-7F57-4826-831F-D5D7E139F02E} = {B9B19787-DCC0-489E-9173-36A32C6B6848}
 		{DBECF66B-8F2F-4B32-9143-E243BAFF12DF} = {2ECA1159-9B9D-4D65-95AF-F14337FD3DA6}
 		{F240D1BC-BBFB-4F22-9DF8-3FDE36BFD665} = {2ECA1159-9B9D-4D65-95AF-F14337FD3DA6}
-		{DFF0089E-4918-4A12-992B-B9DD2C070B0F} = {2ECA1159-9B9D-4D65-95AF-F14337FD3DA6}
-		{6569F5ED-1DB6-433C-8C7F-E96C7B8E54BB} = {2ECA1159-9B9D-4D65-95AF-F14337FD3DA6}
 	EndGlobalSection
 EndGlobal
diff --git a/build/Enable-LocalTestMe.ps1 b/build/Enable-LocalTestMe.ps1
index f99598adda..92f890b37b 100644
--- a/build/Enable-LocalTestMe.ps1
+++ b/build/Enable-LocalTestMe.ps1
@@ -1,31 +1,90 @@
-param([switch]$Force, [string]$Subdomain="nuget")
+param([string]$Subdomain="nuget", [string]$SiteName = "NuGet Gallery", [string]$SitePhysicalPath, [string]$MakeCertPath, [string]$AppCmdPath)
 
 if(!(([Security.Principal.WindowsPrincipal]([System.Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator"))) {
     throw "This script must be run as an admin."
 }
 
-$WebSite = Resolve-Path (Join-Path (Split-Path -Parent $MyInvocation.MyCommand.Path) "..\Website")
+if(!$SitePhysicalPath) {
+    $ScriptRoot = Split-Path -Parent $MyInvocation.MyCommand.Path;
+    $SitePhysicalPath = Join-Path $ScriptRoot "..\src\NuGetGallery"
+}
+if(!(Test-Path $SitePhysicalPath)) {
+    throw "Could not find site at $SitePhysicalPath. Use -SitePhysicalPath argument to specify the path."
+}
+$SitePhysicalPath = Convert-Path $SitePhysicalPath
 
-# Enable access to the necessary URLs
-netsh http add urlacl url=http://nuget.localtest.me:80/ user=Everyone
-netsh http add urlacl url=https://nuget.localtest.me:443/ user=Everyone
+# Find Windows SDK
+if(!$MakeCertPath) {
+    $SDKVersion = dir 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\Microsoft SDKs\Windows' | 
+        where { $_.PSChildName -match "v(?<ver>\d+\.\d+)" } | 
+        foreach { New-Object System.Version $($matches["ver"]) } |
+        sort -desc |
+        select -first 1
+    if(!$SDKVersion) {
+        throw "Could not find Windows SDK. Please install the Windows SDK before running this script, or use -MakeCertPath to specify the path to makecert.exe"
+    }
+    $SDKRegKey = (Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Microsoft SDKs\Windows\v$SDKVersion")
+    $WinSDKDir = $SDKRegKey.InstallationFolder
+    $xArch = "x86"
+    if($env:PROCESSOR_ARCHITECTURE -eq "AMD64") {
+        $xArch = "x64"
+    }
+    $MakeCertPath = Join-Path $WinSDKDir "bin\$xArch\makecert.exe"
+}
 
-$IISExpressDir = "$env:ProgramFiles\IIS Express"
-if(!(Test-Path $IISExpressDir)) {
-    throw "Can't find IIS Express in $IISExpressDir"
+if(!(Test-Path $MakeCertPath)) {
+    throw "Could not find makecert.exe in $MakeCertPath!"
 }
-$AppCmd = "$IISExpressDir\appcmd.exe"
 
-$sites = @(&$AppCmd list site "NuGet Gallery ($Subdomain.localtest.me)")
-if($sites.Length -gt 0) {
-    if($Force) {
-        &$AppCmd delete site "NuGet Gallery ($Subdomain.localtest.me)"
+# Find IIS Express
+if(!$AppCmdPath) {
+    $IISXVersion = dir 'HKLM:\Software\Microsoft\IISExpress' | 
+        foreach { New-Object System.Version ($_.PSChildName) } |
+        sort -desc |
+        select -first 1
+    if(!$IISXVersion) {
+        throw "Could not find IIS Express. Please install IIS Express before running this script, or use -AppCmdPath to specify the path to appcmd.exe for your IIS environment"
+    }
+    $IISRegKey = (Get-ItemProperty "HKLM:\Software\Microsoft\IISExpress\$IISXVersion")
+    $IISExpressDir = $IISRegKey.InstallPath
+    if(!(Test-Path $IISExpressDir)) {
+        throw "Can't find IIS Express in $IISExpressDir. Please install IIS Express"
+    }
+    $AppCmdPath = "$IISExpressDir\appcmd.exe"
+}
+
+if(!(Test-Path $AppCmdPath)) {
+    throw "Could not find appcmd.exe in $AppCmdPath!"
+}
+
+function Invoke-Netsh() {
+    $argStr = $([String]::Join(" ", $args))
+    Write-Verbose "netsh $argStr"
+    $result = netsh @args
+    $parsed = [Regex]::Match($result, ".*Error: (\d+).*")
+    if($parsed.Success) {
+        $err = $parsed.Groups[1].Value
+        if($err -ne "183") {
+            throw $result
+        }
     } else {
-       throw "You already have a site named `"NuGet Gallery ($Subdomain.localtest.me)`". Remove it manually or use -Force to have this command auto-remove it"
+        Write-Host $result
     }
 }
 
-&$AppCmd add site /name:"NuGet Gallery ($Subdomain.localtest.me)" /bindings:"http://$Subdomain.localtest.me:80,https://$Subdomain.localtest.me:443" /physicalPath:$WebSite
+# Enable access to the necessary URLs
+Invoke-Netsh http add urlacl "url=http://$Subdomain.localtest.me:80/" user=Everyone
+Invoke-Netsh http add urlacl "url=https://$Subdomain.localtest.me:443/" user=Everyone
+
+
+$SiteFullName = "$SiteName ($Subdomain.localtest.me)"
+$sites = @(&$AppCmdPath list site $SiteFullName)
+if($sites.Length -gt 0) {
+    Write-Warning "Site '$SiteFullName' already exists. Deleting and recreating."
+    &$AppCmdPath delete site "$SiteFullName"
+}
+
+&$AppCmdPath add site /name:"$SiteFullName" /bindings:"http://$Subdomain.localtest.me:80,https://$Subdomain.localtest.me:443" /physicalPath:$SitePhysicalPath
 
 # Check for a cert
 $cert = @(dir -l "Cert:\CurrentUser\Root" | where {$_.Subject -eq "CN=$Subdomain.localtest.me"})
@@ -36,7 +95,7 @@ if($cert.Length -eq 0) {
 if($cert.Length -eq 0) {
     Write-Host "Generating a Self-Signed SSL Certificate for $Subdomain.localtest.me"
     # Generate one
-    & makecert -r -pe -n "CN=$Subdomain.localtest.me" -b `"$([DateTime]::Now.ToString("MM/dd/yyy"))`" -e `"$([DateTime]::Now.AddYears(10).ToString("MM/dd/yyy"))`" -eku 1.3.6.1.5.5.7.3.1 -ss root -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
+    & $MakeCertPath -r -pe -n "CN=$Subdomain.localtest.me" -b `"$([DateTime]::Now.ToString("MM/dd/yyy"))`" -e `"$([DateTime]::Now.AddYears(10).ToString("MM/dd/yyy"))`" -eku 1.3.6.1.5.5.7.3.1 -ss root -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
     $cert = @(dir -l "Cert:\LocalMachine\Root" | where {$_.Subject -eq "CN=$Subdomain.localtest.me"})
 }
 
@@ -47,7 +106,6 @@ if($cert.Length -eq 0) {
 Write-Host "Using SSL Certificate: $($cert.Thumbprint)"
 
 # Set the Certificate
-netsh http add sslcert hostnameport="$Subdomain.localtest.me:443" certhash="$($cert.Thumbprint)" certstorename=Root appid="{$([Guid]::NewGuid().ToString())}"
+Invoke-Netsh http add sslcert hostnameport="$Subdomain.localtest.me:443" certhash="$($cert.Thumbprint)" certstorename=Root appid="{$([Guid]::NewGuid().ToString())}"
 
-Write-Host "Ready! All you have to do now is go to your Website project properties and set 'http://$Subdomain.localtest.me' as your Project URL"
-Write-Host "To use SSL, set the IISExpressSSLPort MSBuild property in your Website.csproj.user to 443"
\ No newline at end of file
+Write-Host "Ready! All you have to do now is go to your website project properties and set 'http://$Subdomain.localtest.me' as your Project URL!"
\ No newline at end of file
diff --git a/src/NuGetGallery.Core/Entities/EntitiesContext.cs b/src/NuGetGallery.Core/Entities/EntitiesContext.cs
index 60abfab867..1978ceebc1 100644
--- a/src/NuGetGallery.Core/Entities/EntitiesContext.cs
+++ b/src/NuGetGallery.Core/Entities/EntitiesContext.cs
@@ -30,6 +30,7 @@ public EntitiesContext()
         public IDbSet<CuratedFeed> CuratedFeeds { get; set; }
         public IDbSet<CuratedPackage> CuratedPackages { get; set; }
         public IDbSet<PackageRegistration> PackageRegistrations { get; set; }
+        public IDbSet<Credential> Credentials { get; set; }
         public IDbSet<User> Users { get; set; }
 
         IDbSet<T> IEntitiesContext.Set<T>()
diff --git a/src/NuGetGallery.Core/Entities/IEntitiesContext.cs b/src/NuGetGallery.Core/Entities/IEntitiesContext.cs
index 3a18c9b9c5..065f24b924 100644
--- a/src/NuGetGallery.Core/Entities/IEntitiesContext.cs
+++ b/src/NuGetGallery.Core/Entities/IEntitiesContext.cs
@@ -7,6 +7,7 @@ public interface IEntitiesContext
         IDbSet<CuratedFeed> CuratedFeeds { get; set; }
         IDbSet<CuratedPackage> CuratedPackages { get; set; }
         IDbSet<PackageRegistration> PackageRegistrations { get; set; }
+        IDbSet<Credential> Credentials { get; set; }
         IDbSet<User> Users { get; set; }
         int SaveChanges();
         [System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Naming", "CA1716:IdentifiersShouldNotMatchKeywords", MessageId = "Set", Justification="This is to match the EF terminology.")]
diff --git a/src/NuGetGallery.Core/Entities/User.cs b/src/NuGetGallery.Core/Entities/User.cs
index d57613fbb9..0dce5df133 100644
--- a/src/NuGetGallery.Core/Entities/User.cs
+++ b/src/NuGetGallery.Core/Entities/User.cs
@@ -13,6 +13,7 @@ public User() : this(null)
         public User(string username)
         {
             Credentials = new List<Credential>();
+            Roles = new List<Role>();
             Username = username;
         }
 
diff --git a/src/NuGetGallery/ApiController.generated.cs b/src/NuGetGallery/ApiController.generated.cs
index e1eff9b642..df9ced635b 100644
--- a/src/NuGetGallery/ApiController.generated.cs
+++ b/src/NuGetGallery/ApiController.generated.cs
@@ -89,25 +89,22 @@ public class ViewNames {
     public class T4MVC_ApiController: NuGetGallery.ApiController {
         public T4MVC_ApiController() : base(Dummy.Instance) { }
 
-        public override System.Web.Mvc.ActionResult VerifyPackageKey(string apiKey, string id, string version) {
+        public override System.Web.Mvc.ActionResult VerifyPackageKey(string id, string version) {
             var callInfo = new T4MVC_ActionResult(Area, Name, ActionNames.VerifyPackageKey);
-            callInfo.RouteValueDictionary.Add("apiKey", apiKey);
             callInfo.RouteValueDictionary.Add("id", id);
             callInfo.RouteValueDictionary.Add("version", version);
             return callInfo;
         }
 
-        public override System.Web.Mvc.ActionResult DeletePackage(string apiKey, string id, string version) {
+        public override System.Web.Mvc.ActionResult DeletePackage(string id, string version) {
             var callInfo = new T4MVC_ActionResult(Area, Name, ActionNames.DeletePackage);
-            callInfo.RouteValueDictionary.Add("apiKey", apiKey);
             callInfo.RouteValueDictionary.Add("id", id);
             callInfo.RouteValueDictionary.Add("version", version);
             return callInfo;
         }
 
-        public override System.Web.Mvc.ActionResult PublishPackage(string apiKey, string id, string version) {
+        public override System.Web.Mvc.ActionResult PublishPackage(string id, string version) {
             var callInfo = new T4MVC_ActionResult(Area, Name, ActionNames.PublishPackage);
-            callInfo.RouteValueDictionary.Add("apiKey", apiKey);
             callInfo.RouteValueDictionary.Add("id", id);
             callInfo.RouteValueDictionary.Add("version", version);
             return callInfo;
diff --git a/src/NuGetGallery/App_Start/AppActivator.cs b/src/NuGetGallery/App_Start/AppActivator.cs
index a51b4f83f0..21d66280c8 100644
--- a/src/NuGetGallery/App_Start/AppActivator.cs
+++ b/src/NuGetGallery/App_Start/AppActivator.cs
@@ -1,5 +1,7 @@
 using System;
 using System.Data.Entity;
+using System.Security.Claims;
+using System.Web.Helpers;
 using System.Web.Mvc;
 using System.Web.Optimization;
 using System.Web.Routing;
@@ -30,6 +32,8 @@ public static class AppActivator
 
         public static void PreStart()
         {
+            AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;
+
             NinjectPreStart();
             ElmahPreStart();
             GlimpsePreStart();
@@ -101,7 +105,6 @@ private static void AppPostStart()
             GlobalFilters.Filters.Add(new ElmahHandleErrorAttribute());
             GlobalFilters.Filters.Add(new ReadOnlyModeErrorFilter());
             GlobalFilters.Filters.Add(new AntiForgeryErrorFilter());
-            GlobalFilters.Filters.Add(new RequireRemoteHttpsAttribute() { OnlyWhenAuthenticated = true });
             ValueProviderFactories.Factories.Add(new HttpHeaderValueProviderFactory());
         }
 
diff --git a/src/NuGetGallery/App_Start/AuthenticationModule.cs b/src/NuGetGallery/App_Start/AuthenticationModule.cs
deleted file mode 100644
index 9def43507d..0000000000
--- a/src/NuGetGallery/App_Start/AuthenticationModule.cs
+++ /dev/null
@@ -1,46 +0,0 @@
-using System;
-using System.Security.Principal;
-using System.Threading;
-using System.Web;
-using System.Web.Security;
-using Microsoft.Web.Infrastructure.DynamicModuleHelper;
-using NuGetGallery;
-
-[assembly: WebActivator.PreApplicationStartMethod(typeof(AuthenticationModule), "Start")]
-
-namespace NuGetGallery
-{
-    public class AuthenticationModule : IHttpModule
-    {
-        public void Init(HttpApplication context)
-        {
-            context.AuthenticateRequest += OnAuthenticateRequest;
-        }
-
-        public void Dispose()
-        {
-        }
-
-        public static void Start()
-        {
-            DynamicModuleUtility.RegisterModule(typeof(AuthenticationModule));
-        }
-
-        private void OnAuthenticateRequest(object sender, EventArgs e)
-        {
-            var context = HttpContext.Current;
-            var request = HttpContext.Current.Request;
-            if (request.IsAuthenticated)
-            {
-                HttpCookie authCookie = request.Cookies[FormsAuthentication.FormsCookieName];
-                if (authCookie != null)
-                {
-                    FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);
-                    var roles = authTicket.UserData.Split('|');
-                    var user = new GenericPrincipal(context.User.Identity, roles);
-                    context.User = Thread.CurrentPrincipal = user;
-                }
-            }
-        }
-    }
-}
\ No newline at end of file
diff --git a/src/NuGetGallery/App_Start/ContainerBindings.cs b/src/NuGetGallery/App_Start/ContainerBindings.cs
index 089cfd7085..1167f3f0a9 100644
--- a/src/NuGetGallery/App_Start/ContainerBindings.cs
+++ b/src/NuGetGallery/App_Start/ContainerBindings.cs
@@ -222,6 +222,12 @@ private void ConfigureForLocalFileSystem()
             Bind<IFileStorageService>()
                 .To<FileSystemFileStorageService>()
                 .InSingletonScope();
+
+            // Ninject is doing some weird things with constructor selection without these.
+            // Anyone requesting an IReportService or IStatisticsService should be prepared
+            // to receive null anyway.
+            Bind<IReportService>().ToConstant(NullReportService.Instance);
+            Bind<IStatisticsService>().ToConstant(NullStatisticsService.Instance);
         }
 
         private void ConfigureForAzureStorage(ConfigurationService configuration)
diff --git a/src/NuGetGallery/App_Start/OwinStartup.cs b/src/NuGetGallery/App_Start/OwinStartup.cs
new file mode 100644
index 0000000000..be07b9a465
--- /dev/null
+++ b/src/NuGetGallery/App_Start/OwinStartup.cs
@@ -0,0 +1,50 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Web;
+using Owin;
+using Ninject;
+using Microsoft.Owin;
+using Microsoft.Owin.Logging;
+using Microsoft.Owin.Extensions;
+using Microsoft.Owin.Diagnostics;
+using Microsoft.Owin.Security;
+using Microsoft.Owin.Security.Cookies;
+using NuGetGallery.Authentication;
+using NuGetGallery.Configuration;
+
+[assembly: OwinStartup(typeof(NuGetGallery.OwinStartup))]
+
+namespace NuGetGallery
+{
+    public class OwinStartup
+    {
+        // This method is auto-detected by the OWIN pipeline. DO NOT RENAME IT!
+        public static void Configuration(IAppBuilder app)
+        {
+            // Get config
+            var config = Container.Kernel.Get<ConfigurationService>();
+            var cookieSecurity = config.Current.RequireSSL ? CookieSecureOption.Always : CookieSecureOption.Never;
+
+            // Configure logging
+            app.SetLoggerFactory(new DiagnosticsLoggerFactory());
+
+            if (config.Current.RequireSSL)
+            {
+                // Put a middleware at the top of the stack to force the user over to SSL
+                // if authenticated.
+                app.UseForceSslWhenAuthenticated(config.Current.SSLPort);
+            }
+
+            app.UseCookieAuthentication(new CookieAuthenticationOptions()
+            {
+                AuthenticationType = AuthenticationTypes.Password,
+                AuthenticationMode = AuthenticationMode.Active,
+                CookieHttpOnly = true,
+                CookieSecure = cookieSecurity,
+                LoginPath = "/users/account/LogOn"
+            });
+            app.UseApiKeyAuthentication();
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/NuGetGallery/Authentication/ApiKeyAuthenticationExtensions.cs b/src/NuGetGallery/Authentication/ApiKeyAuthenticationExtensions.cs
new file mode 100644
index 0000000000..02ebd41e41
--- /dev/null
+++ b/src/NuGetGallery/Authentication/ApiKeyAuthenticationExtensions.cs
@@ -0,0 +1,29 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Web;
+using NuGetGallery.Authentication;
+using Microsoft.Owin.Extensions;
+
+namespace Owin
+{
+    public static class ApiKeyAuthenticationExtensions
+    {
+        public static IAppBuilder UseApiKeyAuthentication(this IAppBuilder self)
+        {
+            return UseApiKeyAuthentication(self, new ApiKeyAuthenticationOptions());
+        }
+
+        public static IAppBuilder UseApiKeyAuthentication(this IAppBuilder self, ApiKeyAuthenticationOptions options)
+        {
+            if (self == null)
+            {
+                throw new ArgumentNullException("self");
+            }
+
+            self.Use(typeof(ApiKeyAuthenticationMiddleware), self, options);
+            self.UseStageMarker(PipelineStage.Authenticate);
+            return self;
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/NuGetGallery/Authentication/ApiKeyAuthenticationHandler.cs b/src/NuGetGallery/Authentication/ApiKeyAuthenticationHandler.cs
new file mode 100644
index 0000000000..bf35e9708d
--- /dev/null
+++ b/src/NuGetGallery/Authentication/ApiKeyAuthenticationHandler.cs
@@ -0,0 +1,89 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Claims;
+using System.Text;
+using System.Threading.Tasks;
+using Microsoft.Owin.Logging;
+using Microsoft.Owin.Security;
+using Microsoft.Owin.Security.Infrastructure;
+
+namespace NuGetGallery.Authentication
+{
+    public class ApiKeyAuthenticationHandler : AuthenticationHandler<ApiKeyAuthenticationOptions>
+    {
+        protected ILogger Logger { get; set; }
+        protected AuthenticationService Auth { get; set; }
+
+        internal ApiKeyAuthenticationHandler() { }
+        public ApiKeyAuthenticationHandler(ILogger logger, AuthenticationService auth)
+        {
+            Logger = logger;
+            Auth = auth;
+        }
+
+        protected override async Task ApplyResponseChallengeAsync()
+        {
+            string message = GetChallengeMessage();
+
+            if (message != null)
+            {
+                Response.ReasonPhrase = message;
+                Response.Write(message);
+            }
+            else
+            {
+                await base.ApplyResponseChallengeAsync();
+            }
+        }
+
+        internal string GetChallengeMessage()
+        {
+            string message = null;
+            if (Response.StatusCode == 401 && (Helper.LookupChallenge(Options.AuthenticationType, Options.AuthenticationMode) != null))
+            {
+                var apiKey = Request.Headers[Options.ApiKeyHeaderName];
+                message = Strings.ApiKeyRequired;
+                if (!String.IsNullOrEmpty(apiKey))
+                {
+                    // Had an API key, but it wasn't valid
+                    message = Strings.ApiKeyNotAuthorized;
+                }
+
+            }
+            return message;
+        }
+
+        protected override Task<AuthenticationTicket> AuthenticateCoreAsync()
+        {
+            var apiKey = Request.Headers[Options.ApiKeyHeaderName];
+            if (!String.IsNullOrEmpty(apiKey))
+            {
+                // Get the user
+                var authUser = Auth.Authenticate(CredentialBuilder.CreateV1ApiKey(apiKey));
+                if (authUser != null)
+                {
+                    // Set the current user
+                    Context.Set(Constants.CurrentUserOwinEnvironmentKey, authUser);
+
+                    return Task.FromResult(
+                        new AuthenticationTicket(
+                            AuthenticationService.CreateIdentity(
+                                authUser.User, 
+                                AuthenticationTypes.ApiKey, 
+                                new Claim(NuGetClaims.ApiKey, apiKey)),
+                            new AuthenticationProperties()));
+                }
+                else
+                {
+                    Logger.WriteWarning("No match for API Key!");
+                }
+            }
+            else
+            {
+                Logger.WriteVerbose("No API Key Header found in request.");
+            }
+            return Task.FromResult<AuthenticationTicket>(null);
+        }
+    }
+}
diff --git a/src/NuGetGallery/Authentication/ApiKeyAuthenticationMiddleware.cs b/src/NuGetGallery/Authentication/ApiKeyAuthenticationMiddleware.cs
new file mode 100644
index 0000000000..681a72756b
--- /dev/null
+++ b/src/NuGetGallery/Authentication/ApiKeyAuthenticationMiddleware.cs
@@ -0,0 +1,30 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Web;
+using System.Web.Mvc;
+using Microsoft.Owin;
+using Microsoft.Owin.Logging;
+using Microsoft.Owin.Security.Infrastructure;
+using Owin;
+
+namespace NuGetGallery.Authentication
+{
+    public class ApiKeyAuthenticationMiddleware : AuthenticationMiddleware<ApiKeyAuthenticationOptions>
+    {
+        private ILogger _logger;
+
+        public ApiKeyAuthenticationMiddleware(OwinMiddleware next, IAppBuilder app, ApiKeyAuthenticationOptions options)
+            : base(next, options)
+        {
+            _logger = app.CreateLogger<ILogger>();
+        }
+
+        protected override AuthenticationHandler<ApiKeyAuthenticationOptions> CreateHandler()
+        {
+            return new ApiKeyAuthenticationHandler(
+                _logger,
+                DependencyResolver.Current.GetService<AuthenticationService>());
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/NuGetGallery/Authentication/ApiKeyAuthenticationOptions.cs b/src/NuGetGallery/Authentication/ApiKeyAuthenticationOptions.cs
new file mode 100644
index 0000000000..99803f9c27
--- /dev/null
+++ b/src/NuGetGallery/Authentication/ApiKeyAuthenticationOptions.cs
@@ -0,0 +1,20 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Web;
+using Microsoft.Owin.Security;
+
+namespace NuGetGallery.Authentication
+{
+    public class ApiKeyAuthenticationOptions : AuthenticationOptions
+    {
+        public string ApiKeyHeaderName { get; set; }
+        public string ApiKeyClaim { get; set; }
+        public string RootPath { get; set; }
+
+        public ApiKeyAuthenticationOptions() : base(AuthenticationTypes.ApiKey) {
+            ApiKeyHeaderName = Constants.ApiKeyHeaderName;
+            ApiKeyClaim = NuGetClaims.ApiKey;
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/NuGetGallery/Authentication/AuthenticatedUser.cs b/src/NuGetGallery/Authentication/AuthenticatedUser.cs
new file mode 100644
index 0000000000..4930d3e144
--- /dev/null
+++ b/src/NuGetGallery/Authentication/AuthenticatedUser.cs
@@ -0,0 +1,29 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+
+namespace NuGetGallery.Authentication
+{
+    public class AuthenticatedUser
+    {
+        public User User { get; private set; }
+        public Credential CredentialUsed { get; private set; }
+
+        public AuthenticatedUser(User user, Credential cred)
+        {
+            if (user == null)
+            {
+                throw new ArgumentNullException("user");
+            }
+
+            if (cred == null)
+            {
+                throw new ArgumentNullException("cred");
+            }
+            
+            User = user;
+            CredentialUsed = cred;
+        }
+    }
+}
diff --git a/src/NuGetGallery/Authentication/AuthenticationService.cs b/src/NuGetGallery/Authentication/AuthenticationService.cs
new file mode 100644
index 0000000000..e2df02c538
--- /dev/null
+++ b/src/NuGetGallery/Authentication/AuthenticationService.cs
@@ -0,0 +1,391 @@
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Linq;
+using System.Web;
+using NuGetGallery.Diagnostics;
+using System.Data.Entity;
+using System.Globalization;
+using Microsoft.Owin;
+using System.Security.Claims;
+using NuGetGallery.Configuration;
+using Microsoft.Owin.Security;
+
+namespace NuGetGallery.Authentication
+{
+    public class AuthenticationService
+    {
+        public IEntitiesContext Entities { get; private set; }
+        public IAppConfiguration Config { get; private set; }
+        private IDiagnosticsSource Trace { get; set; }
+
+        protected AuthenticationService() { }
+
+        public AuthenticationService(IEntitiesContext entities, IAppConfiguration config, IDiagnosticsService diagnostics)
+        {
+            Entities = entities;
+            Config = config;
+            Trace = diagnostics.SafeGetSource("AuthenticationService");
+        }
+
+        public virtual AuthenticatedUser Authenticate(string userNameOrEmail, string password)
+        {
+            using (Trace.Activity("Authenticate:" + userNameOrEmail))
+            {
+                var user = FindByUserNameOrEmail(userNameOrEmail);
+
+                // Check if the user exists
+                if (user == null)
+                {
+                    Trace.Information("No such user: " + userNameOrEmail);
+                    return null;
+                }
+
+                // Validate the password
+                Credential matched;
+                if (!ValidatePasswordCredential(user.Credentials, password, out matched))
+                {
+                    Trace.Information("Password validation failed: " + userNameOrEmail);
+                    return null;
+                }
+
+                var passwordCredentials = user
+                    .Credentials
+                    .Where(c => c.Type.StartsWith(CredentialTypes.Password.Prefix, StringComparison.OrdinalIgnoreCase))
+                    .ToList();
+                if (passwordCredentials.Count > 1 || !passwordCredentials.Any(c => String.Equals(c.Type, CredentialTypes.Password.Pbkdf2, StringComparison.OrdinalIgnoreCase)))
+                {
+                    MigrateCredentials(user, passwordCredentials, password);
+                }
+
+                // Return the result
+                Trace.Verbose("Successfully authenticated '" + user.Username + "' with '" + matched.Type + "' credential");
+                return new AuthenticatedUser(user, matched);
+            }
+        }
+
+        public virtual AuthenticatedUser Authenticate(Credential credential)
+        {
+            if (credential.Type.StartsWith(CredentialTypes.Password.Prefix, StringComparison.OrdinalIgnoreCase))
+            {
+                // Password credentials cannot be used this way.
+                throw new ArgumentException(Strings.PasswordCredentialsCannotBeUsedHere, "credential");
+            }
+
+            using (Trace.Activity("Authenticate Credential: " + credential.Type))
+            {
+                var matched = FindMatchingCredential(credential);
+
+                if (matched == null)
+                {
+                    Trace.Information("No user matches credential of type: " + credential.Type);
+                    return null;
+                }
+
+                Trace.Verbose("Successfully authenticated '" + matched.User.Username + "' with '" + matched.Type + "' credential");
+                return new AuthenticatedUser(matched.User, matched);
+            }
+        }
+
+        public virtual void CreateSession(IOwinContext owinContext, User user, string authenticationType)
+        {
+            // Create a claims identity for the session
+            ClaimsIdentity identity = CreateIdentity(user, authenticationType);
+
+            // Issue the session token
+            owinContext.Authentication.SignIn(identity);
+        }
+
+        public virtual AuthenticatedUser Register(string username, string password, string emailAddress)
+        {
+            var existingUser = Entities.Users
+                .FirstOrDefault(u => u.Username == username || u.EmailAddress == emailAddress);
+            if (existingUser != null)
+            {
+                if (String.Equals(existingUser.Username, username, StringComparison.OrdinalIgnoreCase))
+                {
+                    throw new EntityException(Strings.UsernameNotAvailable, username);
+                }
+                else
+                {
+                    throw new EntityException(Strings.EmailAddressBeingUsed, emailAddress);
+                }
+            }
+
+            var hashedPassword = CryptographyService.GenerateSaltedHash(password, Constants.PBKDF2HashAlgorithmId);
+
+            var apiKey = Guid.NewGuid();
+            var newUser = new User(username)
+            {
+                ApiKey = apiKey,
+                EmailAllowed = true,
+                UnconfirmedEmailAddress = emailAddress,
+                EmailConfirmationToken = CryptographyService.GenerateToken(),
+                HashedPassword = hashedPassword,
+                PasswordHashAlgorithm = Constants.PBKDF2HashAlgorithmId,
+                CreatedUtc = DateTime.UtcNow
+            };
+
+            // Add a credential for the password and the API Key
+            var passCred = new Credential(CredentialTypes.Password.Pbkdf2, newUser.HashedPassword);
+            newUser.Credentials.Add(CredentialBuilder.CreateV1ApiKey(apiKey));
+            newUser.Credentials.Add(passCred);
+
+            if (!Config.ConfirmEmailAddresses)
+            {
+                newUser.ConfirmEmailAddress();
+            }
+
+            Entities.Users.Add(newUser);
+            Entities.SaveChanges();
+
+            return new AuthenticatedUser(newUser, passCred);
+        }
+
+        public virtual void ReplaceCredential(string username, Credential credential)
+        {
+            var user = Entities
+                .Users
+                .Include(u => u.Credentials)
+                .SingleOrDefault(u => u.Username == username);
+            if (user == null)
+            {
+                throw new InvalidOperationException(Strings.UserNotFound);
+            }
+            ReplaceCredential(user, credential);
+        }
+
+        public virtual void ReplaceCredential(User user, Credential credential)
+        {
+            ReplaceCredentialInternal(user, credential);
+            Entities.SaveChanges();
+        }
+
+        public virtual bool ResetPasswordWithToken(string username, string token, string newPassword)
+        {
+            if (String.IsNullOrEmpty(newPassword))
+            {
+                throw new ArgumentNullException("newPassword");
+            }
+
+            var user = Entities
+                .Users
+                .Include(u => u.Credentials)
+                .SingleOrDefault(u => u.Username == username);
+
+            if (user != null && String.Equals(user.PasswordResetToken, token, StringComparison.Ordinal) && !user.PasswordResetTokenExpirationDate.IsInThePast())
+            {
+                if (!user.Confirmed)
+                {
+                    throw new InvalidOperationException(Strings.UserIsNotYetConfirmed);
+                }
+
+                ReplaceCredentialInternal(user, CredentialBuilder.CreatePbkdf2Password(newPassword));
+                user.PasswordResetToken = null;
+                user.PasswordResetTokenExpirationDate = null;
+                Entities.SaveChanges();
+                return true;
+            }
+
+            return false;
+        }
+
+        public virtual bool ChangePassword(string username, string oldPassword, string newPassword)
+        {
+            // Review: If the old password is hashed using something other than PBKDF2, we end up making an extra db call that changes the old hash password.
+            // This operation is rare enough that I'm not inclined to change it.
+            var authUser = Authenticate(username, oldPassword);
+            if (authUser == null)
+            {
+                return false;
+            }
+
+            var cred = CredentialBuilder.CreatePbkdf2Password(newPassword);
+            ReplaceCredentialInternal(authUser.User, cred);
+            Entities.SaveChanges();
+            return true;
+        }
+
+        public virtual User GeneratePasswordResetToken(string usernameOrEmail, int expirationInMinutes)
+        {
+            if (String.IsNullOrEmpty(usernameOrEmail))
+            {
+                throw new ArgumentNullException("usernameOrEmail");
+            }
+            if (expirationInMinutes < 1)
+            {
+                throw new ArgumentException(
+                    "Token expiration should give the user at least a minute to change their password", "expirationInMinutes");
+            }
+
+            var user = FindByUserNameOrEmail(usernameOrEmail);
+            if (user == null)
+            {
+                return null;
+            }
+
+            if (!user.Confirmed)
+            {
+                throw new InvalidOperationException(Strings.UserIsNotYetConfirmed);
+            }
+
+            if (!String.IsNullOrEmpty(user.PasswordResetToken) && !user.PasswordResetTokenExpirationDate.IsInThePast())
+            {
+                return user;
+            }
+
+            user.PasswordResetToken = CryptographyService.GenerateToken();
+            user.PasswordResetTokenExpirationDate = DateTime.UtcNow.AddMinutes(expirationInMinutes);
+
+            Entities.SaveChanges();
+            return user;
+        }
+
+        public static ClaimsIdentity CreateIdentity(User user, string authenticationType, params Claim[] additionalClaims)
+        {
+            var claims = Enumerable.Concat(new[] {
+                new Claim(ClaimsIdentity.DefaultNameClaimType, user.Username),
+                new Claim(ClaimTypes.AuthenticationMethod, authenticationType),
+
+                // Needed for anti-forgery token, also good practice to have a unique identifier claim
+                new Claim(ClaimTypes.NameIdentifier, user.Username)
+            }, user.Roles.Select(r => new Claim(ClaimsIdentity.DefaultRoleClaimType, r.Name)));
+
+            if (additionalClaims.Length > 0)
+            {
+                claims = Enumerable.Concat(claims, additionalClaims);
+            }
+
+            ClaimsIdentity identity = new ClaimsIdentity(
+                claims,
+                authenticationType,
+                nameType: ClaimsIdentity.DefaultNameClaimType,
+                roleType: ClaimsIdentity.DefaultRoleClaimType);
+            return identity;
+        }
+
+        private void ReplaceCredentialInternal(User user, Credential credential)
+        {
+            // Find the credentials we're replacing, if any
+            var creds = user.Credentials
+                .Where(cred =>
+                    // If we're replacing a password credential, remove ALL password credentials
+                    (credential.Type.StartsWith(CredentialTypes.Password.Prefix, StringComparison.OrdinalIgnoreCase) &&
+                     cred.Type.StartsWith(CredentialTypes.Password.Prefix, StringComparison.OrdinalIgnoreCase)) ||
+                    cred.Type == credential.Type)
+                .ToList();
+            foreach (var cred in creds)
+            {
+                user.Credentials.Remove(cred);
+                Entities.DeleteOnCommit(cred);
+            }
+
+            user.Credentials.Add(credential);
+        }
+
+        private Credential FindMatchingCredential(Credential credential)
+        {
+            var results = Entities
+                .Set<Credential>()
+                .Include(u => u.User)
+                .Include(u => u.User.Roles)
+                .Where(c => c.Type == credential.Type && c.Value == credential.Value)
+                .ToList();
+
+            if (results.Count == 0)
+            {
+                return null;
+            }
+            else if (results.Count == 1)
+            {
+                return results[0];
+            }
+            else
+            {
+                // Don't put the credential itself in trace, but do put the Key for lookup later.
+                string message = String.Format(
+                    CultureInfo.CurrentCulture,
+                    Strings.MultipleMatchingCredentials,
+                    credential.Type,
+                    results.First().Key);
+                Trace.Error(message);
+                throw new InvalidOperationException(message);
+            }
+        }
+
+        private User FindByUserNameOrEmail(string userNameOrEmail)
+        {
+            var users = Entities
+                .Users
+                .Include(u => u.Credentials)
+                .Include(u => u.Roles);
+
+            var user = users.SingleOrDefault(u => u.Username == userNameOrEmail);
+            if (user == null)
+            {
+                var allMatches = users
+                    .Where(u => u.EmailAddress == userNameOrEmail)
+                    .Take(2)
+                    .ToList();
+
+                if (allMatches.Count == 1)
+                {
+                    user = allMatches[0];
+                }
+                else
+                {
+                    // If multiple matches, leave it null to signal no unique email address
+                    Trace.Warning("Multiple user accounts with email address: " + userNameOrEmail + " found: " + String.Join(", ", allMatches.Select(u => u.Username)));
+                }
+            }
+            return user;
+        }
+
+        public static bool ValidatePasswordCredential(IEnumerable<Credential> creds, string password, out Credential matched)
+        {
+            matched = creds.FirstOrDefault(c => ValidatePasswordCredential(c, password));
+            return matched != null;
+        }
+
+        private static readonly Dictionary<string, Func<string, Credential, bool>> _validators = new Dictionary<string, Func<string, Credential, bool>>(StringComparer.OrdinalIgnoreCase) {
+            { CredentialTypes.Password.Pbkdf2, (password, cred) => CryptographyService.ValidateSaltedHash(cred.Value, password, Constants.PBKDF2HashAlgorithmId) },
+            { CredentialTypes.Password.Sha1, (password, cred) => CryptographyService.ValidateSaltedHash(cred.Value, password, Constants.Sha1HashAlgorithmId) }
+        };
+
+        public static bool ValidatePasswordCredential(Credential cred, string password)
+        {
+            Func<string, Credential, bool> validator;
+            if (!_validators.TryGetValue(cred.Type, out validator))
+            {
+                return false;
+            }
+            return validator(password, cred);
+        }
+
+        private void MigrateCredentials(User user, List<Credential> creds, string password)
+        {
+            var toRemove = creds.Where(c =>
+                !String.Equals(
+                    c.Type,
+                    CredentialTypes.Password.Pbkdf2,
+                    StringComparison.OrdinalIgnoreCase))
+                .ToList();
+
+            // Remove any non PBKDF2 credentials
+            foreach (var cred in toRemove)
+            {
+                creds.Remove(cred);
+                user.Credentials.Remove(cred);
+            }
+
+            // Now add one if there are no credentials left
+            if (creds.Count == 0)
+            {
+                user.Credentials.Add(CredentialBuilder.CreatePbkdf2Password(password));
+            }
+
+            // Save changes, if any
+            Entities.SaveChanges();
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/NuGetGallery/Authentication/AuthenticationTypes.cs b/src/NuGetGallery/Authentication/AuthenticationTypes.cs
new file mode 100644
index 0000000000..7caa64e046
--- /dev/null
+++ b/src/NuGetGallery/Authentication/AuthenticationTypes.cs
@@ -0,0 +1,13 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Web;
+
+namespace NuGetGallery.Authentication
+{
+    public static class AuthenticationTypes
+    {
+        public static readonly string Password = "password";
+        public static readonly string ApiKey = "apikey";
+    }
+}
\ No newline at end of file
diff --git a/src/NuGetGallery/Authentication/ForceSslWhenAuthenticatedMiddleware.cs b/src/NuGetGallery/Authentication/ForceSslWhenAuthenticatedMiddleware.cs
new file mode 100644
index 0000000000..19ac1fd4d3
--- /dev/null
+++ b/src/NuGetGallery/Authentication/ForceSslWhenAuthenticatedMiddleware.cs
@@ -0,0 +1,104 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using System.Web;
+using Microsoft.Owin;
+using Microsoft.Owin.Logging;
+using NuGetGallery.Configuration;
+using Owin;
+
+namespace NuGetGallery.Authentication
+{
+    public class ForceSslWhenAuthenticatedMiddleware : OwinMiddleware
+    {
+        public static readonly string DefaultCookieName = ".ForceSsl";
+
+        private readonly ILogger _logger;
+        public string CookieName { get; private set; }
+        public int SslPort { get; private set; }
+
+        public ForceSslWhenAuthenticatedMiddleware(OwinMiddleware next, IAppBuilder app, string cookieName, int sslPort)
+            : base(next)
+        {
+            CookieName = cookieName;
+            SslPort = sslPort;
+            _logger = app.CreateLogger<ForceSslWhenAuthenticatedMiddleware>();
+        }
+
+        public override async Task Invoke(IOwinContext context)
+        {
+            // Check for the SSL Cookie
+            var forceSSL = context.Request.Cookies[CookieName];
+            if (!String.IsNullOrEmpty(forceSSL) && !context.Request.IsSecure)
+            {
+                _logger.WriteVerbose("Force SSL Cookie found. Redirecting to SSL");
+                // Presence of the cookie is all we care about, value is ignored
+                context.Response.Redirect(new UriBuilder(context.Request.Uri)
+                {
+                    Scheme = Uri.UriSchemeHttps,
+                    Port = SslPort
+                }.Uri.AbsoluteUri);
+            }
+            else
+            {
+                // Invoke the rest of the pipeline
+                await Next.Invoke(context);
+
+                var cookieOptions = new CookieOptions() { HttpOnly = true };
+                if (context.Authentication.AuthenticationResponseGrant != null)
+                {
+                    _logger.WriteVerbose("Auth Grant found, writing Force SSL cookie");
+                    // We're granting new authentication, so drop a force ssl cookie
+                    // for later.
+                    context.Response.Cookies.Append(CookieName, "true", cookieOptions);
+                }
+                else if (context.Authentication.AuthenticationResponseRevoke != null)
+                {
+                    _logger.WriteVerbose("Auth Revoke found, removing Force SSL cookie");
+                    // We're revoking authentication, so remove the force ssl cookie
+                    context.Response.Cookies.Delete(CookieName, new CookieOptions()
+                    {
+                        HttpOnly = true
+                    });
+                }
+            }
+        }
+    }
+}
+
+namespace Owin {
+    using NuGetGallery.Authentication;
+
+    public static class ForceSslWhenAuthenticatedExtensions
+    {
+        public static IAppBuilder UseForceSslWhenAuthenticated(this IAppBuilder self)
+        {
+            return UseForceSslWhenAuthenticated(
+                self,
+                ForceSslWhenAuthenticatedMiddleware.DefaultCookieName,
+                443);
+        }
+
+        public static IAppBuilder UseForceSslWhenAuthenticated(this IAppBuilder self, int sslPort)
+        {
+            return UseForceSslWhenAuthenticated(
+                self,
+                ForceSslWhenAuthenticatedMiddleware.DefaultCookieName,
+                sslPort);
+        }
+
+        public static IAppBuilder UseForceSslWhenAuthenticated(this IAppBuilder self, string cookieName)
+        {
+            return UseForceSslWhenAuthenticated(
+                self,
+                cookieName,
+                443);
+        }
+
+        public static IAppBuilder UseForceSslWhenAuthenticated(this IAppBuilder self, string cookieName, int sslPort)
+        {
+            return self.Use(typeof(ForceSslWhenAuthenticatedMiddleware), self, cookieName, sslPort);
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/NuGetGallery/Authentication/NuGetClaims.cs b/src/NuGetGallery/Authentication/NuGetClaims.cs
new file mode 100644
index 0000000000..75bd67339a
--- /dev/null
+++ b/src/NuGetGallery/Authentication/NuGetClaims.cs
@@ -0,0 +1,12 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Web;
+
+namespace NuGetGallery.Authentication
+{
+    public static class NuGetClaims
+    {
+        public static readonly string ApiKey = "https://claims.nuget.org/apikey";
+    }
+}
\ No newline at end of file
diff --git a/src/NuGetGallery/Constants.cs b/src/NuGetGallery/Constants.cs
index 4ed65b3b45..2700cfbf96 100644
--- a/src/NuGetGallery/Constants.cs
+++ b/src/NuGetGallery/Constants.cs
@@ -35,6 +35,10 @@ public static class Constants
         public const string UrlValidationRegEx = @"(https?):\/\/[^ ""]+$";
         public const string UrlValidationErrorMessage = "This doesn't appear to be a valid HTTP/HTTPS URL";
 
+        public static readonly string ApiKeyHeaderName = "X-NuGet-ApiKey";
+        public static readonly string ReturnUrlParameterName = "ReturnUrl";
+        public static readonly string CurrentUserOwinEnvironmentKey = "nuget.user";
+
         public static class ContentNames
         {
             public static readonly string FrontPageAnnouncement = "FrontPage-Announcement";
diff --git a/src/NuGetGallery/Controllers/ApiController.cs b/src/NuGetGallery/Controllers/ApiController.cs
index 779b5d77b0..993568f9c3 100644
--- a/src/NuGetGallery/Controllers/ApiController.cs
+++ b/src/NuGetGallery/Controllers/ApiController.cs
@@ -7,10 +7,12 @@
 using System.Linq;
 using System.Net;
 using System.Threading.Tasks;
+using System.Web;
 using System.Web.Mvc;
 using System.Web.UI;
 using Newtonsoft.Json.Linq;
 using NuGet;
+using NuGetGallery.Authentication;
 using NuGetGallery.Filters;
 using NuGetGallery.Packaging;
 
@@ -26,7 +28,7 @@ public partial class ApiController : AppController
         public IStatisticsService StatisticsService { get; set; }
         public IContentService ContentService { get; set; }
         public IIndexingService IndexingService { get; set; }
-
+        
         protected ApiController() { }
 
         public ApiController(
@@ -62,8 +64,8 @@ public ApiController(
             StatisticsService = statisticsService;
         }
 
-        [ActionName("GetPackageApi")]
         [HttpGet]
+        [ActionName("GetPackageApi")]
         public virtual async Task<ActionResult> GetPackage(string id, string version)
         {
             // some security paranoia about URL hacking somehow creating e.g. open redirects
@@ -122,21 +124,21 @@ public virtual async Task<ActionResult> GetPackage(string id, string version)
                 catch (SqlException e)
                 {
                     // Log the error and continue
-                    QuietlyLogException(e);
+                    QuietLog.LogHandledException(e);
                 }
                 catch (DataException e)
                 {
                     // Log the error and continue
-                    QuietlyLogException(e);
+                    QuietLog.LogHandledException(e);
                 }
             }
             catch (SqlException e)
             {
-                QuietlyLogException(e);
+                QuietLog.LogHandledException(e);
             }
             catch (DataException e)
             {
-                QuietlyLogException(e);
+                QuietLog.LogHandledException(e);
             }
             
             // Fall back to constructing the URL based on the package version and ID.
@@ -160,9 +162,10 @@ public virtual Task<ActionResult> GetNuGetExe()
         }
 
         [HttpGet]
+        [RequireSsl]
+        [ApiAuthorize]
         [ActionName("VerifyPackageKeyApi")]
-        [ApiKeyAuthorize]
-        public virtual ActionResult VerifyPackageKey(string apiKey, string id, string version)
+        public virtual ActionResult VerifyPackageKey(string id, string version)
         {
             if (!String.IsNullOrEmpty(id))
             {
@@ -174,10 +177,10 @@ public virtual ActionResult VerifyPackageKey(string apiKey, string id, string ve
                         HttpStatusCode.NotFound, String.Format(CultureInfo.CurrentCulture, Strings.PackageWithIdAndVersionNotFound, id, version));
                 }
 
-                var user = GetUserByApiKey(apiKey);
-                if (user == null || !package.IsOwner(user))
+                var user = GetCurrentUser();
+                if (!package.IsOwner(user))
                 {
-                    return new HttpStatusCodeWithBodyResult(HttpStatusCode.Forbidden, String.Format(CultureInfo.CurrentCulture, Strings.ApiKeyNotAuthorized, "push"));
+                    return new HttpStatusCodeWithBodyResult(HttpStatusCode.Forbidden, Strings.ApiKeyNotAuthorized);
                 }
             }
 
@@ -185,27 +188,28 @@ public virtual ActionResult VerifyPackageKey(string apiKey, string id, string ve
         }
 
         [HttpPut]
+        [RequireSsl]
+        [ApiAuthorize]
         [ActionName("PushPackageApi")]
-        [RequireRemoteHttps(OnlyWhenAuthenticated = false)]
-        [ApiKeyAuthorize]
-        public virtual Task<ActionResult> CreatePackagePut(string apiKey)
+        public virtual Task<ActionResult> CreatePackagePut()
         {
-            var user = GetUserByApiKey(apiKey);
-            return CreatePackageInternal(user);
+            return CreatePackageInternal();
         }
 
         [HttpPost]
+        [RequireSsl]
+        [ApiAuthorize]
         [ActionName("PushPackageApi")]
-        [RequireRemoteHttps(OnlyWhenAuthenticated = false)]
-        [ApiKeyAuthorize]
-        public virtual Task<ActionResult> CreatePackagePost(string apiKey)
+        public virtual Task<ActionResult> CreatePackagePost()
         {
-            var user = GetUserByApiKey(apiKey);
-            return CreatePackageInternal(user);
+            return CreatePackageInternal();
         }
 
-        private async Task<ActionResult> CreatePackageInternal(User user)
+        private async Task<ActionResult> CreatePackageInternal()
         {
+            // Get the user
+            var user = GetCurrentUser();
+
             using (var packageToPush = ReadPackageFromRequest())
             {
                 // Ensure that the user can push packages for this partialId.
@@ -254,10 +258,10 @@ private async Task<ActionResult> CreatePackageInternal(User user)
         }
 
         [HttpDelete]
+        [RequireSsl]
+        [ApiAuthorize]
         [ActionName("DeletePackageApi")]
-        [RequireRemoteHttps(OnlyWhenAuthenticated = false)]
-        [ApiKeyAuthorize]
-        public virtual ActionResult DeletePackage(string apiKey, string id, string version)
+        public virtual ActionResult DeletePackage(string id, string version)
         {
             var package = PackageService.FindPackageByIdAndVersion(id, version);
             if (package == null)
@@ -266,17 +270,11 @@ public virtual ActionResult DeletePackage(string apiKey, string id, string versi
                     HttpStatusCode.NotFound, String.Format(CultureInfo.CurrentCulture, Strings.PackageWithIdAndVersionNotFound, id, version));
             }
 
-            User user = GetUserByApiKey(apiKey);
-            if (user == null)
-            {
-                return new HttpStatusCodeWithBodyResult(
-                    HttpStatusCode.Forbidden, String.Format(CultureInfo.CurrentCulture, Strings.ApiKeyNotAuthorized, "delete"));
-            }
-
+            var user = GetCurrentUser();
             if (!package.IsOwner(user))
             {
                 return new HttpStatusCodeWithBodyResult(
-                    HttpStatusCode.Forbidden, String.Format(CultureInfo.CurrentCulture, Strings.ApiKeyNotAuthorized, "delete"));
+                    HttpStatusCode.Forbidden, Strings.ApiKeyNotAuthorized);
             }
 
             PackageService.MarkPackageUnlisted(package);
@@ -285,10 +283,10 @@ public virtual ActionResult DeletePackage(string apiKey, string id, string versi
         }
 
         [HttpPost]
+        [RequireSsl]
+        [ApiAuthorize]
         [ActionName("PublishPackageApi")]
-        [RequireRemoteHttps(OnlyWhenAuthenticated = false)]
-        [ApiKeyAuthorize]
-        public virtual ActionResult PublishPackage(string apiKey, string id, string version)
+        public virtual ActionResult PublishPackage(string id, string version)
         {
             var package = PackageService.FindPackageByIdAndVersion(id, version);
             if (package == null)
@@ -297,13 +295,7 @@ public virtual ActionResult PublishPackage(string apiKey, string id, string vers
                     HttpStatusCode.NotFound, String.Format(CultureInfo.CurrentCulture, Strings.PackageWithIdAndVersionNotFound, id, version));
             }
 
-            User user = GetUserByApiKey(apiKey);
-            if (user == null)
-            {
-                return new HttpStatusCodeWithBodyResult(
-                    HttpStatusCode.Forbidden, String.Format(CultureInfo.CurrentCulture, Strings.ApiKeyNotAuthorized, "publish"));
-            }
-
+            User user = GetCurrentUser();
             if (!package.IsOwner(user))
             {
                 return new HttpStatusCodeWithBodyResult(HttpStatusCode.Forbidden, String.Format(CultureInfo.CurrentCulture, Strings.ApiKeyNotAuthorized, "publish"));
@@ -354,8 +346,8 @@ protected internal virtual INupkg ReadPackageFromRequest()
             return new Nupkg(stream, leaveOpen: false);
         }
 
-        [ActionName("PackageIDs")]
         [HttpGet]
+        [ActionName("PackageIDs")]
         public virtual ActionResult GetPackageIds(string partialId, bool? includePrerelease)
         {
             var query = GetService<IPackageIdsQuery>();
@@ -366,8 +358,8 @@ public virtual ActionResult GetPackageIds(string partialId, bool? includePrerele
                 };
         }
 
-        [ActionName("PackageVersions")]
         [HttpGet]
+        [ActionName("PackageVersions")]
         public virtual ActionResult GetPackageVersions(string id, bool? includePrerelease)
         {
             var query = GetService<IPackageVersionsQuery>();
@@ -378,79 +370,47 @@ public virtual ActionResult GetPackageVersions(string id, bool? includePrereleas
                 };
         }
 
-        [ActionName("StatisticsDownloadsApi")]
         [HttpGet]
+        [ActionName("StatisticsDownloadsApi")]
         public virtual async Task<ActionResult> GetStatsDownloads(int? count)
         {
-            if (StatisticsService != null)
+            var result = await StatisticsService.LoadDownloadPackageVersions();
+
+            if (result.Loaded)
             {
-                var result = await StatisticsService.LoadDownloadPackageVersions();
+                int i = 0;
 
-                if (result.Loaded)
+                JArray content = new JArray();
+                foreach (StatisticsPackagesItemViewModel row in StatisticsService.DownloadPackageVersionsAll)
                 {
-                    int i = 0;
-
-                    JArray content = new JArray();
-                    foreach (StatisticsPackagesItemViewModel row in StatisticsService.DownloadPackageVersionsAll)
-                    {
-                        JObject item = new JObject();
-
-                        item.Add("PackageId", row.PackageId);
-                        item.Add("PackageVersion", row.PackageVersion);
-                        item.Add("Gallery", Url.PackageGallery(row.PackageId, row.PackageVersion));
-                        item.Add("PackageTitle", row.PackageTitle ?? row.PackageId);
-                        item.Add("PackageDescription", row.PackageDescription);
-                        item.Add("PackageIconUrl", row.PackageIconUrl ?? Url.PackageDefaultIcon());
-                        item.Add("Downloads", row.Downloads);
+                    JObject item = new JObject();
 
-                        content.Add(item);
+                    item.Add("PackageId", row.PackageId);
+                    item.Add("PackageVersion", row.PackageVersion);
+                    item.Add("Gallery", Url.PackageGallery(row.PackageId, row.PackageVersion));
+                    item.Add("PackageTitle", row.PackageTitle ?? row.PackageId);
+                    item.Add("PackageDescription", row.PackageDescription);
+                    item.Add("PackageIconUrl", row.PackageIconUrl ?? Url.PackageDefaultIcon());
+                    item.Add("Downloads", row.Downloads);
 
-                        i++;
+                    content.Add(item);
 
-                        if (count.HasValue && count.Value == i)
-                        {
-                            break;
-                        }
-                    }
+                    i++;
 
-                    return new ContentResult
+                    if (count.HasValue && count.Value == i)
                     {
-                        Content = content.ToString(),
-                        ContentType = "application/json"
-                    };
+                        break;
+                    }
                 }
-            }
 
-            return new HttpStatusCodeResult(HttpStatusCode.NotFound);
-        }
-
-        private User GetUserByApiKey(string apiKey)
-        {
-            var cred = UserService.AuthenticateCredential(CredentialTypes.ApiKeyV1, apiKey.ToLowerInvariant());
-            User user;
-            if (cred == null)
-            {
-#pragma warning disable 0618
-                user = UserService.FindByApiKey(Guid.Parse(apiKey));
-#pragma warning restore 0618
-            }
-            else
-            {
-                user = cred.User;
+                return new ContentResult
+                {
+                    Content = content.ToString(),
+                    ContentType = "application/json"
+                };
             }
-            return user;
-        }
 
-        private static void QuietlyLogException(Exception e)
-        {
-            try
-            {
-                Elmah.ErrorSignal.FromCurrentContext().Raise(e);
-            }
-            catch
-            {
-                // logging failed, don't allow exception to escape
-            }
+            return new HttpStatusCodeResult(HttpStatusCode.NotFound);
         }
     }
 }
diff --git a/src/NuGetGallery/Controllers/AppController.cs b/src/NuGetGallery/Controllers/AppController.cs
index b470aa8f43..6e83e3f31a 100644
--- a/src/NuGetGallery/Controllers/AppController.cs
+++ b/src/NuGetGallery/Controllers/AppController.cs
@@ -1,18 +1,90 @@
-using System.Security.Principal;
+using System;
+using System.Security.Claims;
+using System.Security.Principal;
+using System.Linq;
+using System.Web;
 using System.Web.Mvc;
+using Microsoft.Owin;
+using NuGetGallery.Authentication;
+using System.Net;
 
 namespace NuGetGallery
 {
     public abstract partial class AppController : Controller
     {
-        public virtual IIdentity Identity
+        private IOwinContext _overrideContext;
+
+        public IOwinContext OwinContext
+        {
+            get { return _overrideContext ?? HttpContext.GetOwinContext(); }
+            set { _overrideContext = value; }
+        }
+
+        public new ClaimsPrincipal User
         {
-            get { return User.Identity; }
+            get { return base.User as ClaimsPrincipal; }
         }
 
         protected internal virtual T GetService<T>()
         {
             return DependencyResolver.Current.GetService<T>();
         }
+
+        // This is a method because the first call will perform a database call
+        /// <summary>
+        /// Get the current user, from the database, or if someone in this request has already
+        /// retrieved it, from memory. This will NEVER return null. It will throw an exception
+        /// that will yield an HTTP 401 if it would return null. As a result, it should only
+        /// be called in actions with the Authorize attribute or a Request.IsAuthenticated check
+        /// </summary>
+        /// <returns>The current user</returns>
+        protected internal User GetCurrentUser()
+        {
+            if (OwinContext.Request.User == null)
+            {
+                return null;
+            }
+
+            User user = null;
+            object obj;
+            if (OwinContext.Environment.TryGetValue(Constants.CurrentUserOwinEnvironmentKey, out obj))
+            {
+                user = obj as User;
+            }
+
+            if (user == null)
+            {
+                user = LoadUser();
+                OwinContext.Environment[Constants.CurrentUserOwinEnvironmentKey] = user;
+            }
+
+            if (user == null)
+            {
+                // Unauthorized! If we get here it's because a valid session token was presented, but the
+                // user doesn't exist any more. So we just have a generic error.
+                throw new HttpException(401, Strings.Unauthorized);
+            }
+
+            return user;
+        }
+
+        private User LoadUser()
+        {
+            var principal = OwinContext.Authentication.User;
+            if (principal != null)
+            {
+                // Try to authenticate with the user name
+                string userName = principal.GetClaimOrDefault(ClaimTypes.Name);
+
+                if (!String.IsNullOrEmpty(userName))
+                {
+                    return DependencyResolver
+                        .Current
+                        .GetService<UserService>()
+                        .FindByUsername(userName);
+                }
+            }
+            return null; // No user logged in, or credentials could not be resolved
+        }
     }
 }
\ No newline at end of file
diff --git a/src/NuGetGallery/Controllers/AuthenticationController.cs b/src/NuGetGallery/Controllers/AuthenticationController.cs
index 1ff0a5acf9..632af9584d 100644
--- a/src/NuGetGallery/Controllers/AuthenticationController.cs
+++ b/src/NuGetGallery/Controllers/AuthenticationController.cs
@@ -1,14 +1,16 @@
 using System;
+using System.Web;
 using System.Collections.Generic;
 using System.Linq;
 using System.Web.Mvc;
+using NuGetGallery.Authentication;
+using NuGetGallery.Filters;
 
 namespace NuGetGallery
 {
-    public partial class AuthenticationController : Controller
+    public partial class AuthenticationController : AppController
     {
-        public IFormsAuthenticationService FormsAuth { get; protected set; }
-        public IUserService UserService { get; protected set; }
+        public AuthenticationService AuthService { get; protected set; }
         
         // For sub-classes to initialize services themselves
         protected AuthenticationController()
@@ -16,20 +18,18 @@ protected AuthenticationController()
         }
 
         public AuthenticationController(
-            IFormsAuthenticationService formsAuthService,
-            IUserService userService)
+            AuthenticationService authService)
         {
-            FormsAuth = formsAuthService;
-            UserService = userService;
+            AuthService = authService;
         }
 
-        [RequireRemoteHttps(OnlyWhenAuthenticated = false)]
+        [RequireSsl]
         public virtual ActionResult LogOn(string returnUrl)
         {
             // I think it should be obvious why we don't want the current URL to be the return URL here ;)
             ViewData[Constants.ReturnUrlViewDataKey] = returnUrl;
 
-            if (User != null && User.Identity != null && User.Identity.IsAuthenticated)
+            if (Request.IsAuthenticated)
             {
                 TempData["Message"] = "You are already logged in!";
                 return Redirect(returnUrl);
@@ -40,13 +40,13 @@ public virtual ActionResult LogOn(string returnUrl)
 
         [HttpPost]
         [ValidateAntiForgeryToken]
-        [RequireRemoteHttps(OnlyWhenAuthenticated = false)]
+        [RequireSsl]
         public virtual ActionResult SignIn(SignInRequest request, string returnUrl)
         {
             // I think it should be obvious why we don't want the current URL to be the return URL here ;)
             ViewData[Constants.ReturnUrlViewDataKey] = returnUrl;
 
-            if (User != null && User.Identity != null && User.Identity.IsAuthenticated)
+            if (Request.IsAuthenticated)
             {
                 ModelState.AddModelError(String.Empty, "You are already logged in!");
                 return View();
@@ -57,9 +57,7 @@ public virtual ActionResult SignIn(SignInRequest request, string returnUrl)
                 return View();
             }
 
-            var user = UserService.FindByUsernameOrEmailAddressAndPassword(
-                request.UserNameOrEmail,
-                request.Password);
+            var user = AuthService.Authenticate(request.UserNameOrEmail, request.Password);
 
             if (user == null)
             {
@@ -70,19 +68,19 @@ public virtual ActionResult SignIn(SignInRequest request, string returnUrl)
                 return View();
             }
 
-            SetAuthenticationCookie(user);
+            AuthService.CreateSession(OwinContext, user.User, AuthenticationTypes.Password);
             return SafeRedirect(returnUrl);
         }
 
         [HttpPost]
         [ValidateAntiForgeryToken]
-        [RequireRemoteHttps(OnlyWhenAuthenticated = false)]
+        [RequireSsl]
         public virtual ActionResult Register(RegisterRequest request, string returnUrl)
         {
             // I think it should be obvious why we don't want the current URL to be the return URL here ;)
             ViewData[Constants.ReturnUrlViewDataKey] = returnUrl;
 
-            if (User != null && User.Identity != null && User.Identity.IsAuthenticated)
+            if (Request.IsAuthenticated)
             {
                 ModelState.AddModelError(String.Empty, "You are already logged in!");
                 return View();
@@ -93,10 +91,10 @@ public virtual ActionResult Register(RegisterRequest request, string returnUrl)
                 return View();
             }
 
-            User user;
+            AuthenticatedUser user;
             try
             {
-                user = UserService.Create(
+                user = AuthService.Register(
                     request.Username,
                     request.Password,
                     request.EmailAddress);
@@ -107,7 +105,7 @@ public virtual ActionResult Register(RegisterRequest request, string returnUrl)
                 return View();
             }
 
-            SetAuthenticationCookie(user);
+            AuthService.CreateSession(OwinContext, user.User, AuthenticationTypes.Password);
 
             if (RedirectHelper.SafeRedirectUrl(Url, returnUrl) != RedirectHelper.SafeRedirectUrl(Url, null))
             {
@@ -122,10 +120,7 @@ public virtual ActionResult Register(RegisterRequest request, string returnUrl)
 
         public virtual ActionResult LogOff(string returnUrl)
         {
-            // TODO: this should really be a POST
-
-            FormsAuth.SignOut();
-
+            OwinContext.Authentication.SignOut();
             return SafeRedirect(returnUrl);
         }
 
@@ -134,20 +129,5 @@ protected virtual ActionResult SafeRedirect(string returnUrl)
         {
             return Redirect(RedirectHelper.SafeRedirectUrl(Url, returnUrl));
         }
-
-        [NonAction]
-        protected virtual void SetAuthenticationCookie(User user)
-        {
-            IEnumerable<string> roles = null;
-            if (user.Roles.AnySafe())
-            {
-                roles = user.Roles.Select(r => r.Name);
-            }
-
-            FormsAuth.SetAuthCookie(
-                user.Username,
-                true,
-                roles);
-        }
     }
 }
diff --git a/src/NuGetGallery/Controllers/CuratedFeedsController.cs b/src/NuGetGallery/Controllers/CuratedFeedsController.cs
index 30745f89bb..0134c90c30 100644
--- a/src/NuGetGallery/Controllers/CuratedFeedsController.cs
+++ b/src/NuGetGallery/Controllers/CuratedFeedsController.cs
@@ -33,7 +33,7 @@ public virtual ActionResult CuratedFeed(string name)
                 return HttpNotFound();
             }
 
-            if (curatedFeed.Managers.All(manager => manager.Username != Identity.Name))
+            if (curatedFeed.Managers.All(manager => manager.Username != User.Identity.Name))
             {
                 return new HttpStatusCodeResult(403);
             }
diff --git a/src/NuGetGallery/Controllers/CuratedPackagesController.cs b/src/NuGetGallery/Controllers/CuratedPackagesController.cs
index 4b58e6df64..4d9d647a69 100644
--- a/src/NuGetGallery/Controllers/CuratedPackagesController.cs
+++ b/src/NuGetGallery/Controllers/CuratedPackagesController.cs
@@ -31,7 +31,7 @@ public virtual ActionResult GetCreateCuratedPackageForm(string curatedFeedName)
                 return HttpNotFound();
             }
 
-            if (curatedFeed.Managers.All(manager => manager.Username != Identity.Name))
+            if (curatedFeed.Managers.All(manager => manager.Username != User.Identity.Name))
             {
                 return new HttpStatusCodeResult(403);
             }
@@ -58,7 +58,7 @@ public virtual ActionResult DeleteCuratedPackage(
                 return HttpNotFound();
             }
 
-            if (curatedFeed.Managers.All(manager => manager.Username != Identity.Name))
+            if (curatedFeed.Managers.All(manager => manager.Username != User.Identity.Name))
             {
                 return new HttpStatusCodeResult(403);
             }
@@ -89,7 +89,7 @@ public virtual ActionResult PatchCuratedPackage(
                 return HttpNotFound();
             }
 
-            if (curatedFeed.Managers.All(manager => manager.Username != Identity.Name))
+            if (curatedFeed.Managers.All(manager => manager.Username != User.Identity.Name))
             {
                 return new HttpStatusCodeResult(403);
             }
@@ -119,7 +119,7 @@ public virtual ActionResult PostCuratedPackages(
                 return HttpNotFound();
             }
 
-            if (curatedFeed.Managers.All(manager => manager.Username != Identity.Name))
+            if (curatedFeed.Managers.All(manager => manager.Username != User.Identity.Name))
             {
                 return new HttpStatusCodeResult(403);
             }
diff --git a/src/NuGetGallery/Controllers/PackagesController.cs b/src/NuGetGallery/Controllers/PackagesController.cs
index d1f1689323..f39166e081 100644
--- a/src/NuGetGallery/Controllers/PackagesController.cs
+++ b/src/NuGetGallery/Controllers/PackagesController.cs
@@ -34,17 +34,14 @@ public partial class PackagesController : AppController
         private readonly IPackageFileService _packageFileService;
         private readonly ISearchService _searchService;
         private readonly IUploadFileService _uploadFileService;
-        private readonly IUserService _userService;
         private readonly IEntitiesContext _entitiesContext;
         private readonly IIndexingService _indexingService;
         private readonly ICacheService _cacheService;
         private readonly EditPackageService _editPackageService;
-        private readonly IPrincipal _currentUser;
 
         public PackagesController(
             IPackageService packageService,
             IUploadFileService uploadFileService,
-            IUserService userService,
             IMessageService messageService,
             ISearchService searchService,
             IAutomaticallyCuratePackageCommand autoCuratedPackageCmd,
@@ -54,12 +51,10 @@ public PackagesController(
             IAppConfiguration config,
             IIndexingService indexingService,
             ICacheService cacheService,
-            EditPackageService editPackageService,
-            IPrincipal currentUser)
+            EditPackageService editPackageService)
         {
             _packageService = packageService;
             _uploadFileService = uploadFileService;
-            _userService = userService;
             _messageService = messageService;
             _searchService = searchService;
             _autoCuratedPackageCmd = autoCuratedPackageCmd;
@@ -70,14 +65,13 @@ public PackagesController(
             _indexingService = indexingService;
             _cacheService = cacheService;
             _editPackageService = editPackageService;
-            _currentUser = currentUser;
         }
 
         [Authorize]
         [OutputCache(NoStore = true, Duration = 0, VaryByParam = "None")]
         public virtual ActionResult UploadPackageProgress()
         {
-            string username = _currentUser.Identity.Name;
+            string username = User.Identity.Name;
 
             AsyncFileUploadProgress progress = _cacheService.GetProgress(username);
             if (progress == null)
@@ -99,7 +93,7 @@ public virtual ActionResult UndoPendingEdits(string id, string version)
                 return HttpNotFound();
             }
 
-            if (!package.IsOwner(HttpContext.User))
+            if (!package.IsOwner(User))
             {
                 return new HttpStatusCodeResult(403, "Forbidden");
             }
@@ -147,7 +141,7 @@ public virtual ActionResult UndoPendingEdits(string id, string version)
         [RequiresAccountConfirmation("upload a package")]
         public async virtual Task<ActionResult> UploadPackage()
         {
-            var currentUser = _userService.FindByUsername(_currentUser.Identity.Name);
+            var currentUser = GetCurrentUser();
 
             using (var existingUploadFile = await _uploadFileService.GetUploadFileAsync(currentUser.Key))
             {
@@ -162,11 +156,11 @@ public async virtual Task<ActionResult> UploadPackage()
 
         [HttpPost]
         [Authorize]
-        [RequiresAccountConfirmation("upload a package")]
         [ValidateAntiForgeryToken]
+        [RequiresAccountConfirmation("upload a package")]
         public virtual async Task<ActionResult> UploadPackage(HttpPostedFileBase uploadFile)
         {
-            var currentUser = _userService.FindByUsername(_currentUser.Identity.Name);
+            var currentUser = GetCurrentUser();
 
             using (var existingUploadFile = await _uploadFileService.GetUploadFileAsync(currentUser.Key))
             {
@@ -246,7 +240,7 @@ public virtual ActionResult DisplayPackage(string id, string version)
             }
             var model = new DisplayPackageViewModel(package);
 
-            if (package.IsOwner(_currentUser))
+            if (package.IsOwner(User))
             {
                 // Tell logged-in package owners not to cache the package page, so they won't be confused about the state of pending edits.
                 Response.Cache.SetCacheability(HttpCacheability.NoCache);
@@ -332,7 +326,7 @@ public virtual ActionResult ReportAbuse(string id, string version)
 
             if (Request.IsAuthenticated)
             {
-                var user = _userService.FindByUsername(HttpContext.User.Identity.Name);
+                var user = GetCurrentUser();
 
                 // If user logged on in as owner a different tab, then clicked the link, we can redirect them to ReportMyPackage
                 if (package.IsOwner(user))
@@ -362,7 +356,7 @@ public virtual ActionResult ReportAbuse(string id, string version)
         [RequiresAccountConfirmation("contact support about your package")]
         public virtual ActionResult ReportMyPackage(string id, string version)
         {
-            var user = _userService.FindByUsername(HttpContext.User.Identity.Name);
+            var user = GetCurrentUser();
 
             var package = _packageService.FindPackageByIdAndVersion(id, version);
 
@@ -372,7 +366,7 @@ public virtual ActionResult ReportMyPackage(string id, string version)
             }
 
             // If user hit this url by constructing it manually but is not the owner, redirect them to ReportAbuse
-            if (!(HttpContext.User.IsInRole(Constants.AdminRoleName) || package.IsOwner(user)))
+            if (!(User.IsInRole(Constants.AdminRoleName) || package.IsOwner(user)))
             {
                 return RedirectToAction(ActionNames.ReportAbuse, new { id, version });
             }
@@ -411,7 +405,7 @@ public virtual ActionResult ReportAbuse(string id, string version, ReportAbuseVi
             MailAddress from;
             if (Request.IsAuthenticated)
             {
-                user = _userService.FindByUsername(HttpContext.User.Identity.Name);
+                user = GetCurrentUser();
                 from = user.ToMailAddress();
             }
             else
@@ -457,7 +451,7 @@ public virtual ActionResult ReportMyPackage(string id, string version, ReportAbu
                 return HttpNotFound();
             }
 
-            var user = _userService.FindByUsername(HttpContext.User.Identity.Name);
+            var user = GetCurrentUser();
             MailAddress from = user.ToMailAddress();
 
             _messageService.ReportMyPackage(
@@ -515,7 +509,7 @@ public virtual ActionResult ContactOwners(string id, ContactOwnersViewModel cont
                 return HttpNotFound();
             }
 
-            var user = _userService.FindByUsername(User.Identity.Name);
+            var user = GetCurrentUser();
             var fromAddress = new MailAddress(user.EmailAddress, user.Username);
             _messageService.SendContactOwnersMessage(
                 fromAddress, package, contactForm.Message, Url.Action(MVC.Users.Edit(), protocol: Request.Url.Scheme));
@@ -539,12 +533,12 @@ public virtual ActionResult ManagePackageOwners(string id, string version)
             {
                 return HttpNotFound();
             }
-            if (!package.IsOwner(HttpContext.User))
+            if (!package.IsOwner(User))
             {
                 return new HttpStatusCodeResult(401, "Unauthorized");
             }
 
-            var model = new ManagePackageOwnersViewModel(package, HttpContext.User);
+            var model = new ManagePackageOwnersViewModel(package, User);
 
             return View(model);
         }
@@ -576,7 +570,7 @@ public virtual ActionResult Edit(string id, string version)
                 return HttpNotFound();
             }
 
-            if (!package.IsOwner(HttpContext.User))
+            if (!package.IsOwner(User))
             {
                 return new HttpStatusCodeResult(403, "Forbidden");
             }
@@ -599,9 +593,9 @@ public virtual ActionResult Edit(string id, string version)
 
         [Authorize]
         [HttpPost]
-        [RequiresAccountConfirmation("edit a package")]
-        [ValidateAntiForgeryToken]
         [ValidateInput(false)] // Security note: Disabling ASP.Net input validation which does things like disallow angle brackets in submissions. See http://go.microsoft.com/fwlink/?LinkID=212874
+        [ValidateAntiForgeryToken]
+        [RequiresAccountConfirmation("edit a package")]
         public virtual ActionResult Edit(string id, string version, EditPackageRequest formData, string returnUrl)
         {
             var package = _packageService.FindPackageByIdAndVersion(id, version);
@@ -610,12 +604,12 @@ public virtual ActionResult Edit(string id, string version, EditPackageRequest f
                 return HttpNotFound();
             }
 
-            var user = _userService.FindByUsername(HttpContext.User.Identity.Name);
-            if (user == null || !package.IsOwner(HttpContext.User))
+            if (!package.IsOwner(User))
             {
                 return new HttpStatusCodeResult(403, "Forbidden");
             }
 
+            var user = GetCurrentUser();
             if (!ModelState.IsValid)
             {
                 formData.PackageId = package.PackageRegistration.Id;
@@ -664,17 +658,7 @@ public virtual ActionResult ConfirmOwner(string id, string username, string toke
                 return HttpNotFound();
             }
 
-            var user = _userService.FindByUsername(username);
-            if (user == null)
-            {
-                return HttpNotFound();
-            }
-
-            if (!String.Equals(user.Username, User.Identity.Name, StringComparison.OrdinalIgnoreCase))
-            {
-                return new HttpStatusCodeResult(403);
-            }
-
+            var user = GetCurrentUser();
             ConfirmOwnershipResult result = _packageService.ConfirmPackageOwner(package, user, token);
 
             var model = new PackageOwnerConfirmationModel
@@ -693,7 +677,7 @@ internal virtual ActionResult Edit(string id, string version, bool? listed, Func
             {
                 return HttpNotFound();
             }
-            if (!package.IsOwner(HttpContext.User))
+            if (!package.IsOwner(User))
             {
                 return new HttpStatusCodeResult(401, "Unauthorized");
             }
@@ -726,7 +710,7 @@ private ActionResult GetPackageOwnerActionFormResult(string id, string version)
             {
                 return HttpNotFound();
             }
-            if (!package.IsOwner(HttpContext.User))
+            if (!package.IsOwner(User))
             {
                 return new HttpStatusCodeResult(401, "Unauthorized");
             }
@@ -739,7 +723,7 @@ private ActionResult GetPackageOwnerActionFormResult(string id, string version)
         [RequiresAccountConfirmation("upload a package")]
         public virtual async Task<ActionResult> VerifyPackage()
         {
-            var currentUser = _userService.FindByUsername(_currentUser.Identity.Name);
+            var currentUser = GetCurrentUser();
 
             IPackageMetadata packageMetadata;
             using (Stream uploadFile = await _uploadFileService.GetUploadFileAsync(currentUser.Key))
@@ -795,7 +779,7 @@ public virtual async Task<ActionResult> VerifyPackage()
         [ValidateInput(false)] // Security note: Disabling ASP.Net input validation which does things like disallow angle brackets in submissions. See http://go.microsoft.com/fwlink/?LinkID=212874
         public virtual async Task<ActionResult> VerifyPackage(VerifyPackageRequest formData)
         {
-            var currentUser = _userService.FindByUsername(_currentUser.Identity.Name);
+            var currentUser = GetCurrentUser();
 
             Package package;
             using (Stream uploadFile = await _uploadFileService.GetUploadFileAsync(currentUser.Key))
@@ -888,7 +872,7 @@ public virtual async Task<ActionResult> VerifyPackage(VerifyPackageRequest formD
         [ValidateAntiForgeryToken]
         public virtual async Task<ActionResult> CancelUpload()
         {
-            var currentUser = _userService.FindByUsername(_currentUser.Identity.Name);
+            var currentUser = GetCurrentUser();
             await _uploadFileService.DeleteUploadFileAsync(currentUser.Key);
 
             return RedirectToAction("UploadPackage");
@@ -909,7 +893,7 @@ internal virtual ActionResult SetLicenseReportVisibility(string id, string versi
             {
                 return HttpNotFound();
             }
-            if (!package.IsOwner(HttpContext.User))
+            if (!package.IsOwner(User))
             {
                 return new HttpStatusCodeResult(401, "Unauthorized");
             }
diff --git a/src/NuGetGallery/Controllers/StatisticsController.cs b/src/NuGetGallery/Controllers/StatisticsController.cs
index 696c5404bc..06fc2e2a91 100644
--- a/src/NuGetGallery/Controllers/StatisticsController.cs
+++ b/src/NuGetGallery/Controllers/StatisticsController.cs
@@ -99,7 +99,7 @@ private CultureInfo DetermineClientLocale()
 
         public virtual async Task<ActionResult> Index()
         {
-            if (_statisticsService == null)
+            if (_statisticsService == NullStatisticsService.Instance)
             {
                 return new HttpStatusCodeResult(HttpStatusCode.NotFound);
             }
@@ -141,7 +141,7 @@ public virtual async Task<ActionResult> Index()
 
         public virtual async Task<ActionResult> Packages()
         {
-            if (_statisticsService == null)
+            if (_statisticsService == NullStatisticsService.Instance)
             {
                 return new HttpStatusCodeResult(HttpStatusCode.NotFound);
             }
@@ -164,7 +164,7 @@ public virtual async Task<ActionResult> Packages()
 
         public virtual async Task<ActionResult> PackageVersions()
         {
-            if (_statisticsService == null)
+            if (_statisticsService == NullStatisticsService.Instance)
             {
                 return new HttpStatusCodeResult(HttpStatusCode.NotFound);
             }
@@ -187,7 +187,7 @@ public virtual async Task<ActionResult> PackageVersions()
 
         public virtual async Task<ActionResult> PackageDownloadsByVersion(string id, string[] groupby)
         {
-            if (_statisticsService == null)
+            if (_statisticsService == NullStatisticsService.Instance)
             {
                 return new HttpStatusCodeResult(HttpStatusCode.NotFound);
             }
@@ -215,7 +215,7 @@ public virtual async Task<ActionResult> PackageDownloadsByVersion(string id, str
 
         public virtual async Task<ActionResult> PackageDownloadsDetail(string id, string version, string[] groupby)
         {
-            if (_statisticsService == null)
+            if (_statisticsService == NullStatisticsService.Instance)
             {
                 return new HttpStatusCodeResult(HttpStatusCode.NotFound);
             }
diff --git a/src/NuGetGallery/Controllers/UsersController.cs b/src/NuGetGallery/Controllers/UsersController.cs
index 8359154261..dbedf6d208 100644
--- a/src/NuGetGallery/Controllers/UsersController.cs
+++ b/src/NuGetGallery/Controllers/UsersController.cs
@@ -4,6 +4,7 @@
 using System.Net.Mail;
 using System.Security.Principal;
 using System.Web.Mvc;
+using NuGetGallery.Authentication;
 using NuGetGallery.Configuration;
 
 namespace NuGetGallery
@@ -11,11 +12,11 @@ namespace NuGetGallery
     public partial class UsersController : AppController
     {
         public ICuratedFeedService CuratedFeedService { get; protected set; }
+        public IUserService UserService { get; protected set; }
         public IMessageService MessageService { get; protected set; }
         public IPackageService PackageService { get; protected set; }
         public IAppConfiguration Config { get; protected set; }
-        public IUserService UserService { get; protected set; }
-        public IPrincipal CurrentUser { get; protected set; }
+        public AuthenticationService AuthService { get; protected set; }
 
         protected UsersController() { }
 
@@ -25,20 +26,20 @@ public UsersController(
             IPackageService packageService,
             IMessageService messageService,
             IAppConfiguration config,
-            IPrincipal currentUser) : this()
+            AuthenticationService authService) : this()
         {
             CuratedFeedService = feedsQuery;
             UserService = userService;
             PackageService = packageService;
             MessageService = messageService;
             Config = config;
-            CurrentUser = currentUser;
+            AuthService = authService;
         }
 
         [Authorize]
         public virtual ActionResult Account()
         {
-            var user = UserService.FindByUsername(Identity.Name);
+            var user = GetCurrentUser();
             var curatedFeeds = CuratedFeedService.GetFeedsForManager(user.Key);
             var apiCredential = user
                 .Credentials
@@ -54,11 +55,11 @@ public virtual ActionResult Account()
                     });
         }
 
-        [Authorize]
         [HttpGet]
+        [Authorize]
         public virtual ActionResult ConfirmationRequired()
         {
-            User user = UserService.FindByUsername(User.Identity.Name);
+            User user = GetCurrentUser();
             var model = new ConfirmationViewModel
             {
                 ConfirmingNewAccount = !(user.Confirmed),
@@ -72,7 +73,7 @@ public virtual ActionResult ConfirmationRequired()
         [ActionName("ConfirmationRequired")]
         public virtual ActionResult ConfirmationRequiredPost()
         {
-            User user = UserService.FindByUsername(User.Identity.Name);
+            User user = GetCurrentUser();
             var confirmationUrl = Url.ConfirmationUrl(
                 MVC.Users.Confirm(), user.Username, user.EmailConfirmationToken, protocol: Request.Url.Scheme);
 
@@ -90,7 +91,7 @@ public virtual ActionResult ConfirmationRequiredPost()
         [Authorize]
         public virtual ActionResult Edit()
         {
-            var user = UserService.FindByUsername(Identity.Name);
+            var user = GetCurrentUser();
             var model = new EditProfileViewModel
                 {
                     Username = user.Username,
@@ -106,7 +107,7 @@ public virtual ActionResult Edit()
         [ValidateAntiForgeryToken]
         public virtual ActionResult Edit(EditProfileViewModel profile)
         {
-            var user = UserService.FindByUsername(Identity.Name);
+            var user = GetCurrentUser();
             if (user == null)
             {
                 return HttpNotFound();
@@ -130,7 +131,7 @@ public virtual ActionResult Thanks()
         [Authorize]
         public virtual ActionResult Packages()
         {
-            var user = UserService.FindByUsername(Identity.Name);
+            var user = GetCurrentUser();
             var packages = PackageService.FindPackagesByOwner(user, includeUnlisted: true)
                 .Select(p => new PackageViewModel(p)
                 {
@@ -151,7 +152,7 @@ public virtual ActionResult Packages()
         public virtual ActionResult GenerateApiKey()
         {
             // Get the user
-            var user = UserService.FindByUsername(User.Identity.Name);
+            var user = GetCurrentUser();
 
             // Generate an API Key
             var apiKey = Guid.NewGuid();
@@ -160,7 +161,7 @@ public virtual ActionResult GenerateApiKey()
             user.ApiKey = apiKey;
 
             // Add/Replace the API Key credential, and save to the database
-            UserService.ReplaceCredential(user, CredentialBuilder.CreateV1ApiKey(apiKey));
+            AuthService.ReplaceCredential(user, CredentialBuilder.CreateV1ApiKey(apiKey));
             return RedirectToAction(MVC.Users.Account());
         }
 
@@ -183,7 +184,7 @@ public virtual ActionResult ForgotPassword(ForgotPasswordViewModel model)
             
             if (ModelState.IsValid)
             {
-                var user = UserService.GeneratePasswordResetToken(model.Email, Constants.DefaultPasswordResetTokenExpirationHours * 60);
+                var user = AuthService.GeneratePasswordResetToken(model.Email, Constants.DefaultPasswordResetTokenExpirationHours * 60);
                 if (user != null)
                 {
                     var resetPasswordUrl = Url.ConfirmationUrl(
@@ -229,7 +230,7 @@ public virtual ActionResult ResetPassword(string username, string token, Passwor
             // By having this value present in the dictionary BUT null, we don't put "returnUrl" on the Login link at all
             ViewData[Constants.ReturnUrlViewDataKey] = null;
             
-            ViewBag.ResetTokenValid = UserService.ResetPasswordWithToken(username, token, model.NewPassword);
+            ViewBag.ResetTokenValid = AuthService.ResetPasswordWithToken(username, token, model.NewPassword);
 
             if (!ViewBag.ResetTokenValid)
             {
@@ -246,7 +247,7 @@ public virtual ActionResult Confirm(string username, string token)
             // By having this value present in the dictionary BUT null, we don't put "returnUrl" on the Login link at all
             ViewData[Constants.ReturnUrlViewDataKey] = null;
 
-            if (!String.Equals(username, Identity.Name, StringComparison.OrdinalIgnoreCase))
+            if (!String.Equals(username, User.Identity.Name, StringComparison.OrdinalIgnoreCase))
             {
                 return View(new ConfirmationViewModel
                     {
@@ -255,12 +256,8 @@ public virtual ActionResult Confirm(string username, string token)
                     });
             }
 
-            var user = UserService.FindByUsername(username);
-            if (user == null)
-            {
-                return HttpNotFound();
-            }
-
+            var user = GetCurrentUser();
+            
             string existingEmail = user.EmailAddress;
             var model = new ConfirmationViewModel
             {
@@ -337,14 +334,14 @@ public virtual ActionResult ChangeEmail(ChangeEmailRequestModel model)
                 return View(model);
             }
 
-            User user = UserService.FindByUsernameAndPassword(Identity.Name, model.Password);
-            if (user == null)
+            var authUser = AuthService.Authenticate(User.Identity.Name, model.Password);
+            if (authUser == null)
             {
                 ModelState.AddModelError("Password", Strings.CurrentPasswordIncorrect);
                 return View(model);
             }
 
-            if (String.Equals(model.NewEmail, user.LastSavedEmailAddress, StringComparison.OrdinalIgnoreCase))
+            if (String.Equals(model.NewEmail, authUser.User.LastSavedEmailAddress, StringComparison.OrdinalIgnoreCase))
             {
                 // email address unchanged - accept
                 return RedirectToAction(MVC.Users.Edit());
@@ -352,7 +349,7 @@ public virtual ActionResult ChangeEmail(ChangeEmailRequestModel model)
 
             try
             {
-                UserService.ChangeEmailAddress(user, model.NewEmail);
+                UserService.ChangeEmailAddress(authUser.User, model.NewEmail);
             }
             catch (EntityException e)
             {
@@ -360,11 +357,11 @@ public virtual ActionResult ChangeEmail(ChangeEmailRequestModel model)
                 return View(model);
             }
 
-            if (user.Confirmed)
+            if (authUser.User.Confirmed)
             {
                 var confirmationUrl = Url.ConfirmationUrl(
-                    MVC.Users.Confirm(), user.Username, user.EmailConfirmationToken, protocol: Request.Url.Scheme);
-                MessageService.SendEmailChangeConfirmationNotice(new MailAddress(user.UnconfirmedEmailAddress, user.Username), confirmationUrl);
+                    MVC.Users.Confirm(), authUser.User.Username, authUser.User.EmailConfirmationToken, protocol: Request.Url.Scheme);
+                MessageService.SendEmailChangeConfirmationNotice(new MailAddress(authUser.User.UnconfirmedEmailAddress, authUser.User.Username), confirmationUrl);
 
                 TempData["Message"] =
                     "Your email address has been changed! We sent a confirmation email to verify your new email. When you confirm the new email address, it will take effect and we will forget the old one.";
@@ -384,8 +381,8 @@ public virtual ActionResult ChangePassword()
         }
 
         [HttpPost]
-        [ValidateAntiForgeryToken]
         [Authorize]
+        [ValidateAntiForgeryToken]
         public virtual ActionResult ChangePassword(PasswordChangeViewModel model)
         {
             if (!ModelState.IsValid)
@@ -393,7 +390,7 @@ public virtual ActionResult ChangePassword(PasswordChangeViewModel model)
                 return View(model);
             }
 
-            if (!UserService.ChangePassword(Identity.Name, model.OldPassword, model.NewPassword))
+            if (!AuthService.ChangePassword(User.Identity.Name, model.OldPassword, model.NewPassword))
             {
                 ModelState.AddModelError(
                     "OldPassword",
diff --git a/src/NuGetGallery/Diagnostics/AuthenticationGlimpseTab.cs b/src/NuGetGallery/Diagnostics/AuthenticationGlimpseTab.cs
new file mode 100644
index 0000000000..a883ac684e
--- /dev/null
+++ b/src/NuGetGallery/Diagnostics/AuthenticationGlimpseTab.cs
@@ -0,0 +1,22 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Web;
+using Glimpse.AspNet.Extensibility;
+using Glimpse.Core.Extensibility;
+
+namespace NuGetGallery.Diagnostics
+{
+    public class AuthenticationGlimpseTab : AspNetTab
+    {
+        public override object GetData(ITabContext context)
+        {
+            return context.GetRequestContext<HttpContextBase>().User;
+        }
+
+        public override string Name
+        {
+            get { return "Auth"; }
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/NuGetGallery/Diagnostics/IDiagnosticsService.cs b/src/NuGetGallery/Diagnostics/IDiagnosticsService.cs
index 554c428daa..2cb2a6a10a 100644
--- a/src/NuGetGallery/Diagnostics/IDiagnosticsService.cs
+++ b/src/NuGetGallery/Diagnostics/IDiagnosticsService.cs
@@ -1,4 +1,5 @@
-namespace NuGetGallery.Diagnostics
+using System;
+namespace NuGetGallery.Diagnostics
 {
     public interface IDiagnosticsService
     {
@@ -14,7 +15,19 @@ public static class DiagnosticsServiceExtensions
     {
         public static IDiagnosticsSource SafeGetSource(this IDiagnosticsService self, string name)
         {
-            return self == null ? new NullDiagnosticsSource() : self.GetSource(name);
+            // Hyper-defensive code to get a diagnostics source when self could be null AND self.GetSource(name) could return null.
+            // Designed to support all kinds of mocking scenarios and basically just never fail :)
+            try
+            {
+                return self == null ?
+                    NullDiagnosticsSource.Instance :
+                    (self.GetSource(name) ?? NullDiagnosticsSource.Instance);
+            }
+            catch(Exception ex)
+            {
+                System.Diagnostics.Trace.WriteLine("Error getting trace source: " + ex.ToString());
+                return NullDiagnosticsSource.Instance;
+            }
         }
     }
 }
diff --git a/src/NuGetGallery/Diagnostics/NullDiagnosticsSource.cs b/src/NuGetGallery/Diagnostics/NullDiagnosticsSource.cs
index f2f7c1d787..1f65bd6e72 100644
--- a/src/NuGetGallery/Diagnostics/NullDiagnosticsSource.cs
+++ b/src/NuGetGallery/Diagnostics/NullDiagnosticsSource.cs
@@ -1,5 +1,6 @@
 using System;
 using System.Collections.Generic;
+using System.Diagnostics.CodeAnalysis;
 using System.Linq;
 using System.Text;
 
@@ -7,6 +8,11 @@ namespace NuGetGallery.Diagnostics
 {
     public class NullDiagnosticsSource : IDiagnosticsSource
     {
+        [SuppressMessage("Microsoft.Security", "CA2104:DoNotDeclareReadOnlyMutableReferenceTypes", Justification = "Type is immutable")]
+        public static readonly NullDiagnosticsSource Instance = new NullDiagnosticsSource();
+
+        private NullDiagnosticsSource() { }
+
         public void TraceEvent(System.Diagnostics.TraceEventType type, int id, string message, string member = null, string file = null, int line = 0)
         {
             // No-op!
diff --git a/src/NuGetGallery/ExtensionMethods.cs b/src/NuGetGallery/ExtensionMethods.cs
index b34268c4a0..7d5b7ce726 100644
--- a/src/NuGetGallery/ExtensionMethods.cs
+++ b/src/NuGetGallery/ExtensionMethods.cs
@@ -8,6 +8,7 @@
 using System.Net.Mail;
 using System.Runtime.Versioning;
 using System.Security;
+using System.Security.Claims;
 using System.Security.Principal;
 using System.ServiceModel.Activation;
 using System.Text;
@@ -306,5 +307,23 @@ public static string ToFriendlyName(this FrameworkName frameworkName)
             }
             return sb.ToString();
         }
+
+        public static string GetClaimOrDefault(this ClaimsPrincipal self, string claimType)
+        {
+            return self.Claims.GetClaimOrDefault(claimType);
+        }
+
+        public static string GetClaimOrDefault(this ClaimsIdentity self, string claimType)
+        {
+            return self.Claims.GetClaimOrDefault(claimType);
+        }
+
+        public static string GetClaimOrDefault(this IEnumerable<Claim> self, string claimType)
+        {
+            return self
+                .Where(c => String.Equals(c.Type, claimType, StringComparison.OrdinalIgnoreCase))
+                .Select(c => c.Value)
+                .FirstOrDefault();
+        }
     }
 }
\ No newline at end of file
diff --git a/src/NuGetGallery/ExtensionMethods.cs.rej b/src/NuGetGallery/ExtensionMethods.cs.rej
new file mode 100644
index 0000000000..0f5a587e29
--- /dev/null
+++ b/src/NuGetGallery/ExtensionMethods.cs.rej
@@ -0,0 +1,63 @@
+diff a/src/NuGetGallery/ExtensionMethods.cs b/src/NuGetGallery/ExtensionMethods.cs	(rejected hunks)
+@@ -8,6 +8,7 @@
+ using System.Net.Mail;
+ using System.Runtime.Versioning;
+ using System.Security;
++using System.Security.Claims;
+ using System.Security.Principal;
+ using System.ServiceModel.Activation;
+ using System.Text;
+@@ -15,6 +16,7 @@
+ using System.Web.Routing;
+ using System.Web.WebPages;
+ using NuGet;
++using NuGetGallery.Authentication;
+ 
+ namespace NuGetGallery
+ {
+@@ -40,6 +42,16 @@
+             self.AddOrUpdate(key, val, (_, __) => val);
+         }
+ 
++        public static UserSession AsUserSession(this IPrincipal self)
++        {
++            if (self == null)
++            {
++                return null;
++            }
++            // Direct cast because a non-ClaimsPrincipal is an error here.
++            return new UserSession((ClaimsPrincipal)self);
++        }
++
+         public static SecureString ToSecureString(this string str)
+         {
+             SecureString output = new SecureString();
+@@ -175,25 +187,17 @@
+             return package.PackageRegistration.IsOwner(user);
+         }
+ 
+-        public static bool IsOwner(this Package package, User user)
++        public static bool IsOwner(this Package package, UserSession user)
+         {
+             return package.PackageRegistration.IsOwner(user);
+         }
+ 
+         public static bool IsOwner(this PackageRegistration package, IPrincipal user)
+         {
+-            if (package == null)
+-            {
+-                throw new ArgumentNullException("package");
+-            }
+-            if (user == null || user.Identity == null)
+-            {
+-                return false;
+-            }
+-            return user.IsAdministrator() || package.Owners.Any(u => u.Username == user.Identity.Name);
++            return IsOwner(package, user.AsUserSession());
+         }
+ 
+-        public static bool IsOwner(this PackageRegistration package, User user)
++        public static bool IsOwner(this PackageRegistration package, UserSession user)
+         {
+             if (package == null)
+             {
diff --git a/src/NuGetGallery/Filters/ApiAuthorizeAttribute.cs b/src/NuGetGallery/Filters/ApiAuthorizeAttribute.cs
new file mode 100644
index 0000000000..5604246831
--- /dev/null
+++ b/src/NuGetGallery/Filters/ApiAuthorizeAttribute.cs
@@ -0,0 +1,20 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Web;
+using System.Web.Mvc;
+using NuGetGallery.Authentication;
+
+namespace NuGetGallery.Filters
+{
+    public sealed class ApiAuthorizeAttribute : AuthorizeAttribute
+    {
+        protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
+        {
+            var owinContext = filterContext.HttpContext.GetOwinContext();
+            owinContext.Authentication.Challenge(AuthenticationTypes.ApiKey);
+            owinContext.Response.StatusCode = 401;
+            filterContext.Result = new HttpUnauthorizedResult();
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/NuGetGallery/Filters/ApiKeyAuthorizeAttribute.cs b/src/NuGetGallery/Filters/ApiKeyAuthorizeAttribute.cs
deleted file mode 100644
index 1fa1c096ea..0000000000
--- a/src/NuGetGallery/Filters/ApiKeyAuthorizeAttribute.cs
+++ /dev/null
@@ -1,77 +0,0 @@
-using System;
-using System.Globalization;
-using System.Net;
-using System.Web.Mvc;
-using Ninject;
-
-namespace NuGetGallery.Filters
-{
-    [AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, Inherited = true, AllowMultiple = true)]
-    public sealed class ApiKeyAuthorizeAttribute : ActionFilterAttribute
-    {
-        private IUserService _userService; // for tests
-
-        public IUserService UserService
-        {
-            get { return _userService ?? Container.Kernel.TryGet<IUserService>(); }
-            set { _userService = value; }
-        }
-
-        public override void OnActionExecuting(ActionExecutingContext filterContext)
-        {
-            if (filterContext == null)
-            {
-                throw new ArgumentNullException("filterContext");
-            }
-
-            var controller = filterContext.Controller;
-            string apiKeyStr = (string)((Controller)controller).RouteData.Values["apiKey"];
-            filterContext.Result = CheckForResult(apiKeyStr);
-        }
-
-        public ActionResult CheckForResult(string apiKeyStr)
-        {
-            if (String.IsNullOrEmpty(apiKeyStr))
-            {
-                return new HttpStatusCodeWithBodyResult(HttpStatusCode.BadRequest, String.Format(CultureInfo.CurrentCulture, Strings.InvalidApiKey, apiKeyStr));
-            }
-
-            Guid _;
-            if (!Guid.TryParse(apiKeyStr, out _))
-            {
-                return new HttpStatusCodeWithBodyResult(HttpStatusCode.BadRequest, String.Format(CultureInfo.CurrentCulture, Strings.InvalidApiKey, apiKeyStr));
-            }
-
-            User user = GetUserByApiKey(apiKeyStr);
-            if (user == null)
-            {
-                return new HttpStatusCodeWithBodyResult(HttpStatusCode.Forbidden, String.Format(CultureInfo.CurrentCulture, Strings.ApiKeyNotAuthorized, "push"));
-            }
-
-            if (!user.Confirmed)
-            {
-                return new HttpStatusCodeWithBodyResult(HttpStatusCode.Forbidden, Strings.ApiKeyUserAccountIsUnconfirmed);
-            }
-
-            return null;
-        }
-
-        // Temporary helper, not necessary after removing the old credential storage
-        private User GetUserByApiKey(string apiKey)
-        {
-            var cred = UserService.AuthenticateCredential(CredentialTypes.ApiKeyV1, apiKey.ToLowerInvariant());
-            User user;
-            if (cred == null)
-            {
-#pragma warning disable 0618
-                user = UserService.FindByApiKey(Guid.Parse(apiKey));
-#pragma warning restore 0618
-            }
-            else
-            {
-                user = cred.User;
-            }
-            return user;
-        }
-    }
-}
\ No newline at end of file
diff --git a/src/NuGetGallery/RequireRemoteHttpsAttribute.cs b/src/NuGetGallery/Filters/RequireSslAttribute.cs
similarity index 69%
rename from src/NuGetGallery/RequireRemoteHttpsAttribute.cs
rename to src/NuGetGallery/Filters/RequireSslAttribute.cs
index fe33220f56..e05b5a9866 100644
--- a/src/NuGetGallery/RequireRemoteHttpsAttribute.cs
+++ b/src/NuGetGallery/Filters/RequireSslAttribute.cs
@@ -7,29 +7,20 @@
 using Ninject.Web.Mvc.Filter;
 using NuGetGallery.Configuration;
 
-namespace NuGetGallery
+namespace NuGetGallery.Filters
 {
     // This code is identical to System.Web.Mvc except that we allow for working in localhost environment without https and we force authenticated users to use SSL
     [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = false)]
-    public sealed class RequireRemoteHttpsAttribute : FilterAttribute, IAuthorizationFilter
+    public sealed class RequireSslAttribute : FilterAttribute, IAuthorizationFilter
     {
         private IAppConfiguration _configuration;
-        private IFormsAuthenticationService _formsAuth;
-
+        
         public IAppConfiguration Configuration
         {
             get { return _configuration ?? (_configuration = Container.Kernel.Get<IAppConfiguration>()); }
             set { _configuration = value; }
         }
 
-        public IFormsAuthenticationService FormsAuthentication
-        {
-            get { return _formsAuth ?? (_formsAuth = Container.Kernel.Get<IFormsAuthenticationService>()); }
-            set { _formsAuth = value; }
-        }
-
-        public bool OnlyWhenAuthenticated { get; set; }
-
         public void OnAuthorization(AuthorizationContext filterContext)
         {
             if (filterContext == null)
@@ -38,19 +29,12 @@ public void OnAuthorization(AuthorizationContext filterContext)
             }
 
             var request = filterContext.HttpContext.Request;
-            if (Configuration.RequireSSL && !request.IsSecureConnection && ShouldForceSSL(filterContext.HttpContext))
+            if (Configuration.RequireSSL && !request.IsSecureConnection)
             {
                 HandleNonHttpsRequest(filterContext);
             }
         }
 
-        private bool ShouldForceSSL(HttpContextBase context)
-        {
-            return !OnlyWhenAuthenticated || // If OnlyWhenAuthenticated == false, then we should force SSL
-                context.Request.IsAuthenticated || // If Authenticated, force SSL (we should already be on SSL, since the cookie is secure, but just in case...)
-                FormsAuthentication.ShouldForceSSL(context); // If the "ForceSSL" cookie is present.
-        }
-
         private void HandleNonHttpsRequest(AuthorizationContext filterContext)
         {
             // only redirect for GET requests, otherwise the browser might not propagate the verb and request
diff --git a/src/NuGetGallery/Filters/RequiresAccountConfirmationAttribute.cs b/src/NuGetGallery/Filters/RequiresAccountConfirmationAttribute.cs
index 3ef883c307..b71496af5b 100644
--- a/src/NuGetGallery/Filters/RequiresAccountConfirmationAttribute.cs
+++ b/src/NuGetGallery/Filters/RequiresAccountConfirmationAttribute.cs
@@ -2,6 +2,7 @@
 using System.Globalization;
 using System.Security.Principal;
 using System.Web.Mvc;
+using NuGetGallery.Authentication;
 
 namespace NuGetGallery.Filters
 {
@@ -22,16 +23,15 @@ public override void OnActionExecuting(ActionExecutingContext filterContext)
                 throw new ArgumentNullException("filterContext");
             }
 
-            var controller = ((AppController)filterContext.Controller);
-            IPrincipal user = controller.User;
-            if (!user.Identity.IsAuthenticated)
+            if (!filterContext.HttpContext.Request.IsAuthenticated)
             {
                 throw new InvalidOperationException("Requires account confirmation attribute is only valid on authenticated actions.");
             }
-
-            var userService = controller.GetService<IUserService>();
-            var currentUser = userService.FindByUsername(user.Identity.Name);
-            if (!currentUser.Confirmed)
+            
+            var controller = ((AppController)filterContext.Controller);
+            var user = controller.GetCurrentUser();
+            
+            if (!user.Confirmed)
             {
                 controller.TempData["ConfirmationRequiredMessage"] = String.Format(
                     CultureInfo.CurrentCulture,
diff --git a/src/NuGetGallery/Helpers/StatisticsHelper.cs b/src/NuGetGallery/Helpers/StatisticsHelper.cs
index 754fcf2658..39c9049bb6 100644
--- a/src/NuGetGallery/Helpers/StatisticsHelper.cs
+++ b/src/NuGetGallery/Helpers/StatisticsHelper.cs
@@ -9,7 +9,7 @@ public static bool IsStatisticsPageAvailable
             get
             {
                 var statistics = DependencyResolver.Current.GetService<IStatisticsService>();
-                return (statistics != null);
+                return (statistics != NullStatisticsService.Instance);
             }
         }
     }
diff --git a/src/NuGetGallery/Infrastructure/CredentialBuilder.cs b/src/NuGetGallery/Infrastructure/CredentialBuilder.cs
index 5b21ce2a5b..aed8395560 100644
--- a/src/NuGetGallery/Infrastructure/CredentialBuilder.cs
+++ b/src/NuGetGallery/Infrastructure/CredentialBuilder.cs
@@ -17,10 +17,7 @@ public static Credential CreateV1ApiKey()
 
         public static Credential CreateV1ApiKey(Guid apiKey)
         {
-            var value = apiKey
-                .ToString()
-                .ToLowerInvariant();
-            return new Credential(CredentialTypes.ApiKeyV1, value);
+            return CreateV1ApiKey(apiKey.ToString());
         }
 
         public static Credential CreatePbkdf2Password(string plaintextPassword)
@@ -36,5 +33,10 @@ public static Credential CreateSha1Password(string plaintextPassword)
                 CredentialTypes.Password.Sha1,
                 CryptographyService.GenerateSaltedHash(plaintextPassword, Constants.Sha1HashAlgorithmId));
         }
+
+        internal static Credential CreateV1ApiKey(string apiKey)
+        {
+            return new Credential(CredentialTypes.ApiKeyV1, apiKey.ToLowerInvariant());
+        }
     }
 }
\ No newline at end of file
diff --git a/src/NuGetGallery/NuGetGallery.csproj b/src/NuGetGallery/NuGetGallery.csproj
index eb767dd37c..e811d29908 100644
--- a/src/NuGetGallery/NuGetGallery.csproj
+++ b/src/NuGetGallery/NuGetGallery.csproj
@@ -28,8 +28,7 @@
     </UpgradeBackupLocation>
     <OldToolsVersion>4.0</OldToolsVersion>
     <TargetFrameworkProfile />
-    <IISExpressSSLPort>
-    </IISExpressSSLPort>
+    <IISExpressSSLPort>443</IISExpressSSLPort>
     <DownloadNuGetExe>true</DownloadNuGetExe>
     <IISExpressAnonymousAuthentication>enabled</IISExpressAnonymousAuthentication>
     <IISExpressWindowsAuthentication>disabled</IISExpressWindowsAuthentication>
@@ -117,6 +116,9 @@
     <Reference Include="Microsoft.ApplicationServer.Caching.Core, Version=101.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
       <HintPath>..\..\packages\WindowsAzure.Caching.1.7.0.0\lib\net35-full\Microsoft.ApplicationServer.Caching.Core.dll</HintPath>
     </Reference>
+    <Reference Include="Microsoft.AspNet.Identity.Core">
+      <HintPath>..\..\packages\Microsoft.AspNet.Identity.Core.1.0.0-rc1\lib\net45\Microsoft.AspNet.Identity.Core.dll</HintPath>
+    </Reference>
     <Reference Include="Microsoft.Build.Framework" />
     <Reference Include="Microsoft.Build.Utilities.v4.0" />
     <Reference Include="Microsoft.Data.Edm, Version=5.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
@@ -135,6 +137,21 @@
       <SpecificVersion>False</SpecificVersion>
       <HintPath>..\..\packages\Microsoft.Data.Services.Client.5.5.0\lib\net40\Microsoft.Data.Services.Client.dll</HintPath>
     </Reference>
+    <Reference Include="Microsoft.Owin">
+      <HintPath>..\..\packages\Microsoft.Owin.2.0.0-rc1\lib\net45\Microsoft.Owin.dll</HintPath>
+    </Reference>
+    <Reference Include="Microsoft.Owin.Diagnostics">
+      <HintPath>..\..\packages\Microsoft.Owin.Diagnostics.2.0.0-rc1\lib\net40\Microsoft.Owin.Diagnostics.dll</HintPath>
+    </Reference>
+    <Reference Include="Microsoft.Owin.Host.SystemWeb">
+      <HintPath>..\..\packages\Microsoft.Owin.Host.SystemWeb.2.0.0-rc1\lib\net45\Microsoft.Owin.Host.SystemWeb.dll</HintPath>
+    </Reference>
+    <Reference Include="Microsoft.Owin.Security">
+      <HintPath>..\..\packages\Microsoft.Owin.Security.2.0.0-rc1\lib\net45\Microsoft.Owin.Security.dll</HintPath>
+    </Reference>
+    <Reference Include="Microsoft.Owin.Security.Cookies">
+      <HintPath>..\..\packages\Microsoft.Owin.Security.Cookies.2.0.0-rc1\lib\net45\Microsoft.Owin.Security.Cookies.dll</HintPath>
+    </Reference>
     <Reference Include="Microsoft.Web.DistributedCache, Version=101.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
       <HintPath>..\..\packages\WindowsAzure.Caching.1.7.0.0\lib\net35-full\Microsoft.Web.DistributedCache.dll</HintPath>
     </Reference>
@@ -186,6 +203,9 @@
     <Reference Include="ODataNullPropagationVisitor">
       <HintPath>..\..\packages\ODataNullPropagationVisitor.0.5.4237.2641\lib\net40\ODataNullPropagationVisitor.dll</HintPath>
     </Reference>
+    <Reference Include="Owin">
+      <HintPath>..\..\packages\Owin.1.0\lib\net40\Owin.dll</HintPath>
+    </Reference>
     <Reference Include="PoliteCaptcha, Version=0.4.0.0, Culture=neutral, processorArchitecture=MSIL">
       <SpecificVersion>False</SpecificVersion>
       <HintPath>..\..\packages\PoliteCaptcha.0.4.0.0\lib\net40\PoliteCaptcha.dll</HintPath>
@@ -290,11 +310,21 @@
     <Compile Include="ApiController.generated.cs">
       <DependentUpon>T4MVC.tt</DependentUpon>
     </Compile>
+    <Compile Include="App_Start\OwinStartup.cs" />
     <Compile Include="Areas\Admin\DynamicData\OrderedFieldGenerator.cs" />
     <Compile Include="Areas\Admin\Controllers\LuceneController.cs" />
     <Compile Include="Areas\Admin\Models\LuceneInfoModel.cs" />
     <Compile Include="Areas\Admin\Controllers\ConfigController.cs" />
     <Compile Include="Areas\Admin\ViewModels\ConfigViewModel.cs" />
+    <Compile Include="Authentication\ApiKeyAuthenticationExtensions.cs" />
+    <Compile Include="Authentication\ApiKeyAuthenticationHandler.cs" />
+    <Compile Include="Authentication\ApiKeyAuthenticationMiddleware.cs" />
+    <Compile Include="Authentication\ApiKeyAuthenticationOptions.cs" />
+    <Compile Include="Authentication\AuthenticatedUser.cs" />
+    <Compile Include="Authentication\AuthenticationService.cs" />
+    <Compile Include="Authentication\AuthenticationTypes.cs" />
+    <Compile Include="Authentication\NuGetClaims.cs" />
+    <Compile Include="Authentication\ForceSslWhenAuthenticatedMiddleware.cs" />
     <Compile Include="Configuration\ConfigurationService.cs" />
     <Compile Include="Configuration\FeatureConfiguration.cs" />
     <Compile Include="Configuration\LuceneIndexLocation.cs" />
@@ -303,6 +333,7 @@
     <Compile Include="Controllers\AppController.cs" />
     <Compile Include="DataServices\NormalizeVersionInterceptor.cs" />
     <Compile Include="DataServices\RewriteBaseUrlMessageInspector.cs" />
+    <Compile Include="Diagnostics\AuthenticationGlimpseTab.cs" />
     <Compile Include="Diagnostics\ConcurrentInMemoryPersistenceStore.cs" />
     <Compile Include="Diagnostics\DiagnosticsService.cs" />
     <Compile Include="Diagnostics\NullDiagnosticsSource.cs" />
@@ -587,7 +618,7 @@
     </Compile>
     <Compile Include="Diagnostics\DiagnosticsNinjectModule.cs" />
     <Compile Include="Diagnostics\GlimpseRuntimePolicy.cs" />
-    <Compile Include="Filters\ApiKeyAuthorizeAttribute.cs" />
+    <Compile Include="Filters\ApiAuthorizeAttribute.cs" />
     <Compile Include="Filters\CacheFilter.cs" />
     <Compile Include="Filters\CompressFilter.cs" />
     <Compile Include="Filters\RequiresAccountConfirmationAttribute.cs" />
@@ -877,7 +908,7 @@
     <Compile Include="Services\LocalFileReference.cs" />
     <Compile Include="Services\NuGetExeDownloaderService.cs" />
     <Compile Include="Services\PackageFileService.cs" />
-    <Compile Include="RequireRemoteHttpsAttribute.cs" />
+    <Compile Include="Filters\RequireSslAttribute.cs" />
     <Compile Include="Services\PackageSearchResults.cs" />
     <Compile Include="Services\AggregateStatsService.cs" />
     <Compile Include="Services\ReportPackageRequest.cs" />
@@ -916,7 +947,6 @@
     <Compile Include="ViewModels\PackageOwnerConfirmationModel.cs" />
     <Compile Include="ViewModels\StatisticsPackagesItemViewModel.cs" />
     <Compile Include="ViewModels\StatisticsPackagesViewModel.cs" />
-    <Compile Include="App_Start\AuthenticationModule.cs" />
     <Compile Include="App_Start\AppActivator.cs" />
     <Compile Include="Controllers\ApiController.cs" />
     <Compile Include="Controllers\JsonApiController.cs" />
@@ -1368,9 +1398,9 @@
     <VisualStudio>
       <FlavorProperties GUID="{349c5851-65df-11da-9384-00065b846f21}">
         <WebProjectProperties>
-          <UseIIS>False</UseIIS>
+          <UseIIS>True</UseIIS>
           <AutoAssignPort>True</AutoAssignPort>
-          <DevelopmentServerPort>8085</DevelopmentServerPort>
+          <DevelopmentServerPort>80</DevelopmentServerPort>
           <DevelopmentServerVPath>/</DevelopmentServerVPath>
           <IISUrl>http://nuget.localtest.me</IISUrl>
           <NTLMAuthentication>False</NTLMAuthentication>
diff --git a/src/NuGetGallery/RouteNames.cs b/src/NuGetGallery/RouteNames.cs
index 299503d661..f167a9d523 100644
--- a/src/NuGetGallery/RouteNames.cs
+++ b/src/NuGetGallery/RouteNames.cs
@@ -48,5 +48,6 @@ public static class RouteName
         public const string LegacyRegister = "LegacyRegister";
         public const string PackageEnableLicenseReport = "EnableLicenseReport";
         public const string PackageDisableLicenseReport = "DisableLicenseReport";
+        public const string OwinRoute = "OwinRoute";
     }
 }
diff --git a/src/NuGetGallery/Services/ContentService.cs b/src/NuGetGallery/Services/ContentService.cs
index 302cafee0d..23de4d1032 100644
--- a/src/NuGetGallery/Services/ContentService.cs
+++ b/src/NuGetGallery/Services/ContentService.cs
@@ -28,7 +28,7 @@ public class ContentService : IContentService
         protected ConcurrentDictionary<string, ContentItem> ContentCache { get { return _contentCache; } }
 
         protected ContentService() {
-            Trace = new NullDiagnosticsSource();
+            Trace = NullDiagnosticsSource.Instance;
         }
         
         public ContentService(IFileStorageService fileStorage, IDiagnosticsService diagnosticsService)
diff --git a/src/NuGetGallery/Services/IReportService.cs b/src/NuGetGallery/Services/IReportService.cs
index f90cc03f49..8816d66bb4 100644
--- a/src/NuGetGallery/Services/IReportService.cs
+++ b/src/NuGetGallery/Services/IReportService.cs
@@ -1,4 +1,5 @@
 
+using System.Diagnostics.CodeAnalysis;
 using System.Threading.Tasks;
 using NuGetGallery.Infrastructure;
 
@@ -8,4 +9,17 @@ public interface IReportService
     {
         Task<StatisticsReport> Load(string name);
     }
+
+    public class NullReportService : IReportService
+    {
+        [SuppressMessage("Microsoft.Security", "CA2104:DoNotDeclareReadOnlyMutableReferenceTypes", Justification = "Type is immutable")]
+        public static readonly NullReportService Instance = new NullReportService();
+
+        private NullReportService() { }
+
+        public Task<StatisticsReport> Load(string name)
+        {
+            return Task.FromResult<StatisticsReport>(null);
+        }
+    }
 }
\ No newline at end of file
diff --git a/src/NuGetGallery/Services/IStatisticsService.cs b/src/NuGetGallery/Services/IStatisticsService.cs
index f1bdef2b7a..1d44c5b0ce 100644
--- a/src/NuGetGallery/Services/IStatisticsService.cs
+++ b/src/NuGetGallery/Services/IStatisticsService.cs
@@ -1,6 +1,8 @@
 
 using System;
 using System.Collections.Generic;
+using System.Diagnostics.CodeAnalysis;
+using System.Linq;
 using System.Threading.Tasks;
 
 namespace NuGetGallery
@@ -22,4 +24,72 @@ public interface IStatisticsService
         Task<StatisticsPackagesReport> GetPackageDownloadsByVersion(string packageId);
         Task<StatisticsPackagesReport> GetPackageVersionDownloadsByClient(string packageId, string packageVersion);
     }
+
+    public class NullStatisticsService : IStatisticsService
+    {
+        [SuppressMessage("Microsoft.Security", "CA2104:DoNotDeclareReadOnlyMutableReferenceTypes", Justification = "Type is immutable")]
+        public static readonly NullStatisticsService Instance = new NullStatisticsService();
+
+        private NullStatisticsService() { }
+
+        public IEnumerable<StatisticsPackagesItemViewModel> DownloadPackagesSummary
+        {
+            get { return Enumerable.Empty<StatisticsPackagesItemViewModel>(); }
+        }
+
+        public IEnumerable<StatisticsPackagesItemViewModel> DownloadPackageVersionsSummary
+        {
+            get { return Enumerable.Empty<StatisticsPackagesItemViewModel>(); }
+        }
+
+        public IEnumerable<StatisticsPackagesItemViewModel> DownloadPackagesAll
+        {
+            get { return Enumerable.Empty<StatisticsPackagesItemViewModel>(); }
+        }
+
+        public IEnumerable<StatisticsPackagesItemViewModel> DownloadPackageVersionsAll
+        {
+            get { return Enumerable.Empty<StatisticsPackagesItemViewModel>(); }
+        }
+
+        public IEnumerable<StatisticsNuGetUsageItem> NuGetClientVersion
+        {
+            get { return Enumerable.Empty<StatisticsNuGetUsageItem>(); }
+        }
+
+        public IEnumerable<StatisticsMonthlyUsageItem> Last6Months
+        {
+            get { return Enumerable.Empty<StatisticsMonthlyUsageItem>(); }
+        }
+
+        public Task<StatisticsReportResult> LoadDownloadPackages()
+        {
+            return Task.FromResult(StatisticsReportResult.Failed);
+        }
+
+        public Task<StatisticsReportResult> LoadDownloadPackageVersions()
+        {
+            return Task.FromResult(StatisticsReportResult.Failed);
+        }
+
+        public Task<StatisticsReportResult> LoadNuGetClientVersion()
+        {
+            return Task.FromResult(StatisticsReportResult.Failed);
+        }
+
+        public Task<StatisticsReportResult> LoadLast6Months()
+        {
+            return Task.FromResult(StatisticsReportResult.Failed);
+        }
+
+        public Task<StatisticsPackagesReport> GetPackageDownloadsByVersion(string packageId)
+        {
+            return Task.FromResult(new StatisticsPackagesReport());
+        }
+
+        public Task<StatisticsPackagesReport> GetPackageVersionDownloadsByClient(string packageId, string packageVersion)
+        {
+            return Task.FromResult(new StatisticsPackagesReport());
+        }
+    }
 }
diff --git a/src/NuGetGallery/Services/IUserService.cs b/src/NuGetGallery/Services/IUserService.cs
index 147a57a576..60b5689b89 100644
--- a/src/NuGetGallery/Services/IUserService.cs
+++ b/src/NuGetGallery/Services/IUserService.cs
@@ -5,13 +5,8 @@ namespace NuGetGallery
 {
     public interface IUserService
     {
-        User Create(string username, string password, string emailAddress);
-
         void UpdateProfile(User user, bool emailAllowed);
 
-        [Obsolete("Use AuthenticateCredential instead")]
-        User FindByApiKey(Guid apiKey);
-
         User FindByEmailAddress(string emailAddress);
 
         IList<User> FindAllByEmailAddress(string emailAddress);
@@ -20,52 +15,8 @@ public interface IUserService
 
         User FindByUsername(string username);
 
-        User FindByUsernameAndPassword(string username, string password);
-
-        User FindByUsernameOrEmailAddressAndPassword(string usernameOrEmail, string password);
-
-        [Obsolete("Use ReplaceCredential instead")]
-        string GenerateApiKey(string username);
-
         bool ConfirmEmailAddress(User user, string token);
 
         void ChangeEmailAddress(User user, string newEmailAddress);
-
-        bool ChangePassword(string username, string oldPassword, string newPassword);
-
-        User GeneratePasswordResetToken(string usernameOrEmail, int tokenExpirationMinutes);
-
-        bool ResetPasswordWithToken(string username, string token, string newPassword);
-
-        /// <summary>
-        /// Gets an authenticated credential, that is it returns a credential IF AND ONLY IF
-        /// one exists with exactly the specified type and value.
-        /// </summary>
-        /// <param name="type">The type of the credential, see <see cref="Constants.CredentialTypes"/></param>
-        /// <param name="value">The value of the credential (such as an OAuth ID, API Key, etc.)</param>
-        /// <returns>
-        /// null if there is no credential matching the request, or a <see cref="Credential"/> 
-        /// object WITH the associated <see cref="User"/> object eagerly loaded if there is 
-        /// a matching credential
-        /// </returns>
-        Credential AuthenticateCredential(string type, string value);
-
-        /// <summary>
-        /// Creates a new credential for the specified user, overwriting the 
-        /// previous credential of the same type, if any. Immediately saves
-        /// changes to the database.
-        /// </summary>
-        /// <param name="userName">The name of the user to create a credential for</param>
-        /// <param name="credential">The credential to create</param>
-        void ReplaceCredential(string userName, Credential credential);
-
-        /// <summary>
-        /// Creates a new credential for the specified user, overwriting the 
-        /// previous credential of the same type, if any. Immediately saves
-        /// changes to the database.
-        /// </summary>
-        /// <param name="user">The user object to create a credential for</param>
-        /// <param name="credential">The credential to create</param>
-        void ReplaceCredential(User user, Credential credential);
     }
 }
\ No newline at end of file
diff --git a/src/NuGetGallery/Services/UserService.cs b/src/NuGetGallery/Services/UserService.cs
index 727e687ffa..b4f382f07f 100644
--- a/src/NuGetGallery/Services/UserService.cs
+++ b/src/NuGetGallery/Services/UserService.cs
@@ -26,55 +26,6 @@ public UserService(
             CredentialRepository = credentialRepository;
         }
 
-        public virtual User Create(
-            string username,
-            string password,
-            string emailAddress)
-        {
-            // TODO: validate input
-            // TODO: consider encrypting email address with a public key, and having the background process that send messages have the private key to decrypt
-
-            var existingUser = FindByUsername(username);
-            if (existingUser != null)
-            {
-                throw new EntityException(Strings.UsernameNotAvailable, username);
-            }
-
-            var existingUsers = FindAllByEmailAddress(emailAddress);
-            if (existingUsers.AnySafe())
-            {
-                throw new EntityException(Strings.EmailAddressBeingUsed, emailAddress);
-            }
-
-            var hashedPassword = Crypto.GenerateSaltedHash(password, Constants.PBKDF2HashAlgorithmId);
-
-            var apiKey = Guid.NewGuid();
-            var newUser = new User(username)
-            {
-                ApiKey = apiKey,
-                EmailAllowed = true,
-                UnconfirmedEmailAddress = emailAddress,
-                EmailConfirmationToken = Crypto.GenerateToken(),
-                HashedPassword = hashedPassword,
-                PasswordHashAlgorithm = Constants.PBKDF2HashAlgorithmId,
-                CreatedUtc = DateTime.UtcNow
-            };
-
-            // Add a credential for the password and the API Key
-            newUser.Credentials.Add(CredentialBuilder.CreateV1ApiKey(apiKey));
-            newUser.Credentials.Add(new Credential(CredentialTypes.Password.Pbkdf2, newUser.HashedPassword));
-
-            if (!Config.ConfirmEmailAddresses)
-            {
-                newUser.ConfirmEmailAddress();
-            }
-
-            UserRepository.InsertOnCommit(newUser);
-            UserRepository.CommitChanges();
-
-            return newUser;
-        }
-
         public void UpdateProfile(User user, bool emailAllowed)
         {
             if (user == null)
@@ -86,12 +37,6 @@ public void UpdateProfile(User user, bool emailAllowed)
             UserRepository.CommitChanges();
         }
 
-        [Obsolete("Use AuthenticateCredential instead")]
-        public User FindByApiKey(Guid apiKey)
-        {
-            return UserRepository.GetAll().SingleOrDefault(u => u.ApiKey == apiKey);
-        }
-
         public virtual User FindByEmailAddress(string emailAddress)
         {
             var allMatches = UserRepository.GetAll()
@@ -134,35 +79,6 @@ public virtual User FindByUsername(string username)
                 .SingleOrDefault(u => u.Username == username);
         }
 
-        public virtual User FindByUsernameAndPassword(string username, string password)
-        {
-            var user = FindByUsername(username);
-
-            return AuthenticatePassword(password, user);
-        }
-
-        public virtual User FindByUsernameOrEmailAddressAndPassword(string usernameOrEmail, string password)
-        {
-            var user = FindByUsername(usernameOrEmail) ?? FindByEmailAddress(usernameOrEmail);
-
-            return AuthenticatePassword(password, user);
-        }
-
-        [Obsolete("Use ReplaceCredential instead")]
-        public string GenerateApiKey(string username)
-        {
-            var user = FindByUsername(username);
-            if (user == null)
-            {
-                return null;
-            }
-
-            var newApiKey = Guid.NewGuid();
-            user.ApiKey = newApiKey;
-            UserRepository.CommitChanges();
-            return newApiKey.ToString();
-        }
-
         public void ChangeEmailAddress(User user, string newEmailAddress)
         {
             var existingUsers = FindAllByEmailAddress(newEmailAddress);
@@ -175,21 +91,6 @@ public void ChangeEmailAddress(User user, string newEmailAddress)
             UserRepository.CommitChanges();
         }
 
-        public bool ChangePassword(string username, string oldPassword, string newPassword)
-        {
-            // Review: If the old password is hashed using something other than PBKDF2, we end up making an extra db call that changes the old hash password.
-            // This operation is rare enough that I'm not inclined to change it.
-            var user = FindByUsernameAndPassword(username, oldPassword);
-            if (user == null)
-            {
-                return false;
-            }
-
-            ChangePasswordInternal(user, newPassword);
-            UserRepository.CommitChanges();
-            return true;
-        }
-
         public bool ConfirmEmailAddress(User user, string token)
         {
             if (user == null)
@@ -218,201 +119,5 @@ public bool ConfirmEmailAddress(User user, string token)
             UserRepository.CommitChanges();
             return true;
         }
-
-        public virtual User GeneratePasswordResetToken(string usernameOrEmail, int tokenExpirationMinutes)
-        {
-            if (String.IsNullOrEmpty(usernameOrEmail))
-            {
-                throw new ArgumentNullException("usernameOrEmail");
-            }
-            if (tokenExpirationMinutes < 1)
-            {
-                throw new ArgumentException(
-                    "Token expiration should give the user at least a minute to change their password", "tokenExpirationMinutes");
-            }
-
-            var user = FindByEmailAddress(usernameOrEmail);
-            if (user == null)
-            {
-                return null;
-            }
-
-            if (!user.Confirmed)
-            {
-                throw new InvalidOperationException(Strings.UserIsNotYetConfirmed);
-            }
-
-            if (!String.IsNullOrEmpty(user.PasswordResetToken) && !user.PasswordResetTokenExpirationDate.IsInThePast())
-            {
-                return user;
-            }
-
-            user.PasswordResetToken = Crypto.GenerateToken();
-            user.PasswordResetTokenExpirationDate = DateTime.UtcNow.AddMinutes(tokenExpirationMinutes);
-
-            UserRepository.CommitChanges();
-            return user;
-        }
-
-        public bool ResetPasswordWithToken(string username, string token, string newPassword)
-        {
-            if (String.IsNullOrEmpty(newPassword))
-            {
-                throw new ArgumentNullException("newPassword");
-            }
-
-            var user = FindByUsername(username);
-
-            if (user != null && user.PasswordResetToken == token && !user.PasswordResetTokenExpirationDate.IsInThePast())
-            {
-                if (!user.Confirmed)
-                {
-                    throw new InvalidOperationException(Strings.UserIsNotYetConfirmed);
-                }
-
-                ChangePasswordInternal(user, newPassword);
-                user.PasswordResetToken = null;
-                user.PasswordResetTokenExpirationDate = null;
-                UserRepository.CommitChanges();
-                return true;
-            }
-
-            return false;
-        }
-
-        public Credential AuthenticateCredential(string type, string value)
-        {
-            // Search for the cred
-            return CredentialRepository
-                .GetAll()
-                .Include(c => c.User)
-                .SingleOrDefault(c => c.Type == type && c.Value == value);
-        }
-
-        public void ReplaceCredential(string userName, Credential credential)
-        {
-            var user = UserRepository
-                .GetAll()
-                .Include(u => u.Credentials)
-                .SingleOrDefault(u => u.Username == userName);
-            if (user == null)
-            {
-                throw new InvalidOperationException(Strings.UserNotFound);
-            }
-            ReplaceCredential(user, credential);
-        }
-
-        public void ReplaceCredential(User user, Credential credential)
-        {
-            ReplaceCredentialInternal(user, credential);
-            UserRepository.CommitChanges();
-        }
-
-        private User AuthenticatePassword(string password, User user)
-        {
-            if (user == null)
-            {
-                return null;
-            }
-
-            // Check for a credential
-            var creds = user.Credentials
-                .Where(c => c.Type.StartsWith(
-                    CredentialTypes.Password.Prefix,
-                    StringComparison.OrdinalIgnoreCase)).ToList();
-
-            bool valid;
-            if (creds.Count > 0)
-            {
-                valid = ValidatePasswordCredential(creds, password);
-
-                if (valid && 
-                    (creds.Count > 1 || 
-                        !creds.Any(c => String.Equals(
-                            c.Type, 
-                            CredentialTypes.Password.Pbkdf2, 
-                            StringComparison.OrdinalIgnoreCase))))
-                {
-                    MigrateCredentials(user, creds, password);
-                }
-            }
-            else
-            {
-                valid = Crypto.ValidateSaltedHash(
-                    user.HashedPassword,
-                    password,
-                    user.PasswordHashAlgorithm);
-            }
-
-            return valid ? user : null;
-        }
-
-        private void MigrateCredentials(User user, List<Credential> creds, string password)
-        {
-            var toRemove = creds.Where(c => 
-                !String.Equals(
-                    c.Type, 
-                    CredentialTypes.Password.Pbkdf2, 
-                    StringComparison.OrdinalIgnoreCase))
-                .ToList();
-
-            // Remove any non PBKDF2 credentials
-            foreach (var cred in toRemove)
-            {
-                creds.Remove(cred);
-                user.Credentials.Remove(cred); 
-            }
-
-            // Now add one if there are no credentials left
-            if (creds.Count == 0)
-            {
-                user.Credentials.Add(CredentialBuilder.CreatePbkdf2Password(password));
-            }
-
-            // Save changes, if any
-            UserRepository.CommitChanges();
-        }
-
-        private static bool ValidatePasswordCredential(IEnumerable<Credential> creds, string password)
-        {
-            return creds.Any(c => ValidatePasswordCredential(c, password));
-        }
-
-        private static readonly Dictionary<string, Func<string, Credential, bool>> _validators = new Dictionary<string, Func<string, Credential, bool>>(StringComparer.OrdinalIgnoreCase) {
-            { CredentialTypes.Password.Pbkdf2, (password, cred) => Crypto.ValidateSaltedHash(cred.Value, password, Constants.PBKDF2HashAlgorithmId) },
-            { CredentialTypes.Password.Sha1, (password, cred) => Crypto.ValidateSaltedHash(cred.Value, password, Constants.Sha1HashAlgorithmId) }
-        };
-        private static bool ValidatePasswordCredential(Credential cred, string password)
-        {
-            Func<string, Credential, bool> validator;
-            if (!_validators.TryGetValue(cred.Type, out validator))
-            {
-                return false;
-            }
-            return validator(password, cred);
-        }
-
-        private void ChangePasswordInternal(User user, string newPassword)
-        {
-            var cred = CredentialBuilder.CreatePbkdf2Password(newPassword);
-            user.PasswordHashAlgorithm = Constants.PBKDF2HashAlgorithmId;
-            user.HashedPassword = cred.Value;
-            ReplaceCredentialInternal(user, cred);
-        }
-
-        private void ReplaceCredentialInternal(User user, Credential credential)
-        {
-            // Find the credentials we're replacing, if any
-            var creds = user.Credentials
-                .Where(cred => cred.Type == credential.Type)
-                .ToList();
-            foreach (var cred in creds)
-            {
-                user.Credentials.Remove(cred);
-                CredentialRepository.DeleteOnCommit(cred);
-            }
-
-            user.Credentials.Add(credential);
-        }
     }
 }
diff --git a/src/NuGetGallery/Strings.Designer.cs b/src/NuGetGallery/Strings.Designer.cs
index c3627b7e59..7e42a1e890 100644
--- a/src/NuGetGallery/Strings.Designer.cs
+++ b/src/NuGetGallery/Strings.Designer.cs
@@ -1,7 +1,7 @@
 //------------------------------------------------------------------------------
 // <auto-generated>
 //     This code was generated by a tool.
-//     Runtime Version:4.0.30319.18052
+//     Runtime Version:4.0.30319.34003
 //
 //     Changes to this file may cause incorrect behavior and will be lost if
 //     the code is regenerated.
@@ -61,7 +61,7 @@ internal Strings() {
         }
         
         /// <summary>
-        ///   Looks up a localized string similar to The specified API key does not provide the authority to {0} packages..
+        ///   Looks up a localized string similar to The specified API key is invalid or does not have permission to access the specified package..
         /// </summary>
         public static string ApiKeyNotAuthorized {
             get {
@@ -69,6 +69,15 @@ public static string ApiKeyNotAuthorized {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to An API key must be provided in the &apos;X-NuGet-ApiKey&apos; header to use this service.
+        /// </summary>
+        public static string ApiKeyRequired {
+            get {
+                return ResourceManager.GetString("ApiKeyRequired", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to You must confirm the email address for the account in order to use the API key..
         /// </summary>
@@ -123,6 +132,15 @@ public static string InvalidApiKey {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to Multiple Credentials match &apos;{0}&apos; credential with Key {1}.
+        /// </summary>
+        public static string MultipleMatchingCredentials {
+            get {
+                return ResourceManager.GetString("MultipleMatchingCredentials", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to A nuget package&apos;s {0} property may not be more than {1} characters long..
         /// </summary>
@@ -186,6 +204,15 @@ public static string ParameterCannotBeNullOrEmpty {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to Password credentials cannot be used with Authenticate(Credential). Use Authenticate(string, string) instead..
+        /// </summary>
+        public static string PasswordCredentialsCannotBeUsedHere {
+            get {
+                return ResourceManager.GetString("PasswordCredentialsCannotBeUsedHere", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to The requested resource can only be accessed via SSL..
         /// </summary>
@@ -204,6 +231,15 @@ public static string SuccessfullyUploadedPackage {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to User is not authorized.
+        /// </summary>
+        public static string Unauthorized {
+            get {
+                return ResourceManager.GetString("Unauthorized", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to A package file is required..
         /// </summary>
@@ -232,7 +268,7 @@ public static string UserIsNotYetConfirmed {
         }
         
         /// <summary>
-        ///   Looks up a localized string similar to A user with the provided user name and password does not exist. Try logging on with your username if you were using an email address to log on..
+        ///   Looks up a localized string similar to A unique user with that username or email address and password does not exist. Try logging on with your username if you were using an email address to log on..
         /// </summary>
         public static string UsernameAndPasswordNotFound {
             get {
diff --git a/src/NuGetGallery/Strings.resx b/src/NuGetGallery/Strings.resx
index 1a78062a04..0cb76301fd 100644
--- a/src/NuGetGallery/Strings.resx
+++ b/src/NuGetGallery/Strings.resx
@@ -136,7 +136,7 @@
     <value>A nuget package's {0} property may not be more than {1} characters long.</value>
   </data>
   <data name="ApiKeyNotAuthorized" xml:space="preserve">
-    <value>The specified API key does not provide the authority to {0} packages.</value>
+    <value>The specified API key is invalid or does not have permission to access the specified package.</value>
   </data>
   <data name="PackageExistsAndCannotBeModified" xml:space="preserve">
     <value>A package with id '{0}' and version '{1}' already exists and cannot be modified.</value>
@@ -183,4 +183,16 @@
   <data name="ApiKeyUserAccountIsUnconfirmed" xml:space="preserve">
     <value>You must confirm the email address for the account in order to use the API key.</value>
   </data>
-</root>
+  <data name="MultipleMatchingCredentials" xml:space="preserve">
+    <value>Multiple Credentials match '{0}' credential with Key {1}</value>
+  </data>
+  <data name="PasswordCredentialsCannotBeUsedHere" xml:space="preserve">
+    <value>Password credentials cannot be used with Authenticate(Credential). Use Authenticate(string, string) instead.</value>
+  </data>
+  <data name="ApiKeyRequired" xml:space="preserve">
+    <value>An API key must be provided in the 'X-NuGet-ApiKey' header to use this service</value>
+  </data>
+  <data name="Unauthorized" xml:space="preserve">
+    <value>User is not authorized</value>
+  </data>
+</root>
\ No newline at end of file
diff --git a/src/NuGetGallery/ViewModels/StatisticsPackagesReport.cs b/src/NuGetGallery/ViewModels/StatisticsPackagesReport.cs
index e15485985b..1c8a92878a 100644
--- a/src/NuGetGallery/ViewModels/StatisticsPackagesReport.cs
+++ b/src/NuGetGallery/ViewModels/StatisticsPackagesReport.cs
@@ -1,18 +1,16 @@
 
 using System;
 using System.Collections.Generic;
+using System.Linq;
 
 namespace NuGetGallery
 {
     public class StatisticsPackagesReport
     {
-        private List<StatisticsPackagesItemViewModel> _rows = new List<StatisticsPackagesItemViewModel>();
-        private List<StatisticsDimension> _dimensions = new List<StatisticsDimension>();
-
-        public IList<StatisticsPackagesItemViewModel> Rows { get { return _rows; } }
+        public IList<StatisticsPackagesItemViewModel> Rows { get; private set; }
         public string Total { get; set; }
 
-        public IList<StatisticsDimension> Dimensions { get { return _dimensions; } }
+        public IList<StatisticsDimension> Dimensions { get; private set; }
         public IList<StatisticsFact> Facts { get; set; }
 
         public ICollection<StatisticsPivot.TableEntry[]> Table { get; set; }
@@ -21,5 +19,16 @@ public class StatisticsPackagesReport
         public DateTime? LastUpdatedUtc { get; set; }
 
         public string Id { get; set; }
+
+        public StatisticsPackagesReport()
+        {
+            Total = String.Empty;
+            Id = String.Empty;
+            Columns = Enumerable.Empty<string>();
+            Facts = new List<StatisticsFact>();
+            Table = new List<StatisticsPivot.TableEntry[]>();
+            Rows = new List<StatisticsPackagesItemViewModel>();
+            Dimensions = new List<StatisticsDimension>();
+        }
     }
 }
\ No newline at end of file
diff --git a/src/NuGetGallery/Web.config b/src/NuGetGallery/Web.config
index f8c2f11076..f6b296a77a 100644
--- a/src/NuGetGallery/Web.config
+++ b/src/NuGetGallery/Web.config
@@ -39,10 +39,6 @@
 
         <!-- Use these settings for local non-SSL testing -->
         <add key="Gallery.RequireSSL" value="false" />
-        <!-- Use these settings for local SSL testing (configure it in VS first) -->
-        <!--<add key="Gallery.Require" value="true" />
-        <add key="Gallery.SSLPort" value="44300" /> -->
-        <!-- VS usually uses "44300" as the port. If that's taken, it uses "44301", "44302", and so on. -->
         
         <!-- 
             Location for the Lucene Index.
@@ -162,9 +158,6 @@
                 <add assembly="System.Web.WebPages, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
             </assemblies>
         </compilation>
-        <authentication mode="Forms">
-            <forms loginUrl="~/Users/Account/LogOn" timeout="2880" />
-        </authentication>
         <pages controlRenderingCompatibilityVersion="4.0">
             <namespaces>
                 <add namespace="System.Web.Helpers" />
diff --git a/src/NuGetGallery/packages.config b/src/NuGetGallery/packages.config
index 89ff48d77c..71cdf3b0fc 100644
--- a/src/NuGetGallery/packages.config
+++ b/src/NuGetGallery/packages.config
@@ -21,6 +21,7 @@
   <package id="knockoutjs" version="2.2.1" targetFramework="net45" />
   <package id="Lucene.Net" version="3.0.3" targetFramework="net45" />
   <package id="MarkdownSharp" version="1.13.0.0" targetFramework="net45" />
+  <package id="Microsoft.AspNet.Identity.Core" version="1.0.0-rc1" targetFramework="net45" />
   <package id="Microsoft.AspNet.Mvc" version="4.0.20710.0" targetFramework="net40" />
   <package id="Microsoft.AspNet.Razor" version="2.0.20715.0" targetFramework="net40" />
   <package id="Microsoft.AspNet.Web.Helpers.Mvc" version="2.0.20710.0" targetFramework="net40" />
@@ -31,6 +32,11 @@
   <package id="Microsoft.Data.Services" version="5.5.0" targetFramework="net45" />
   <package id="Microsoft.Data.Services.Client" version="5.5.0" targetFramework="net45" />
   <package id="Microsoft.jQuery.Unobtrusive.Validation" version="2.0.30116.0" targetFramework="net45" />
+  <package id="Microsoft.Owin" version="2.0.0-rc1" targetFramework="net45" />
+  <package id="Microsoft.Owin.Diagnostics" version="2.0.0-rc1" targetFramework="net45" />
+  <package id="Microsoft.Owin.Host.SystemWeb" version="2.0.0-rc1" targetFramework="net45" />
+  <package id="Microsoft.Owin.Security" version="2.0.0-rc1" targetFramework="net45" />
+  <package id="Microsoft.Owin.Security.Cookies" version="2.0.0-rc1" targetFramework="net45" />
   <package id="Microsoft.Web.Infrastructure" version="1.0.0.0" targetFramework="net45" />
   <package id="Microsoft.Web.Xdt" version="1.0.0" targetFramework="net45" />
   <package id="Microsoft.WindowsAzure.ConfigurationManager" version="2.0.1.0" targetFramework="net45" />
@@ -43,6 +49,7 @@
   <package id="Ninject.Web.Common" version="3.0.0.7" targetFramework="net45" />
   <package id="NuGet.Core" version="2.7.0" targetFramework="net45" />
   <package id="ODataNullPropagationVisitor" version="0.5.4237.2641" />
+  <package id="Owin" version="1.0" targetFramework="net45" />
   <package id="PoliteCaptcha" version="0.4.0.0" targetFramework="net45" />
   <package id="QueryInterceptor" version="0.1.4237.2400" />
   <package id="recaptcha" version="1.0.5.0" targetFramework="net45" />
diff --git a/tests/NuGetGallery.Facts/Authentication/ApiKeyAuthenticationHandlerFacts.cs b/tests/NuGetGallery.Facts/Authentication/ApiKeyAuthenticationHandlerFacts.cs
new file mode 100644
index 0000000000..f9f6886394
--- /dev/null
+++ b/tests/NuGetGallery.Facts/Authentication/ApiKeyAuthenticationHandlerFacts.cs
@@ -0,0 +1,294 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Reflection;
+using System.Security.Claims;
+using System.Text;
+using System.Threading.Tasks;
+using Microsoft.Owin;
+using Microsoft.Owin.Logging;
+using Microsoft.Owin.Security;
+using Microsoft.Owin.Security.Infrastructure;
+using Moq;
+using NuGetGallery.Framework;
+using Xunit;
+using Xunit.Extensions;
+
+namespace NuGetGallery.Authentication
+{
+    public class ApiKeyAuthenticationHandlerFacts
+    {
+        public class TheGetChallengeMessageMethod
+        {
+            [Fact]
+            public async Task GivenANon401ResponseInActiveMode_ItReturnsNull()
+            {
+                // Arrange
+                var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
+                {
+                    AuthenticationMode = AuthenticationMode.Active
+                });
+                handler.OwinContext.Response.StatusCode = 200;
+
+                // Act
+                var message = handler.GetChallengeMessage();
+
+                // Assert
+                Assert.Null(message);
+            }
+
+            [Fact]
+            public async Task GivenA401ResponseInPassiveModeWithoutMatchingAuthenticationType_ItReturnsNull()
+            {
+                // Arrange
+                var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
+                {
+                    AuthenticationMode = AuthenticationMode.Passive,
+                    AuthenticationType = "blarg"
+                });
+                handler.OwinContext.Response.StatusCode = 401;
+                handler.OwinContext.Authentication.AuthenticationResponseChallenge = 
+                    new AuthenticationResponseChallenge(new [] { "flarg" }, new AuthenticationProperties());
+
+                // Act
+                var message = handler.GetChallengeMessage();
+
+                // Assert
+                Assert.Null(message);
+            }
+
+            [Fact]
+            public async Task GivenA401ResponseInPassiveModeWithMatchingAuthenticationTypeAndNoHeader_ItReturnsApiKeyRequired()
+            {
+                // Arrange
+                var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
+                {
+                    AuthenticationMode = AuthenticationMode.Passive,
+                    AuthenticationType = "blarg"
+                });
+                handler.OwinContext.Response.StatusCode = 401;
+                handler.OwinContext.Authentication.AuthenticationResponseChallenge = 
+                    new AuthenticationResponseChallenge(new [] { "blarg" }, new AuthenticationProperties());
+                
+                // Act
+                var message = handler.GetChallengeMessage();
+
+                // Assert
+                Assert.Equal(Strings.ApiKeyRequired, message);
+            }
+
+            [Fact]
+            public async Task GivenA401ResponseInPassiveModeWithMatchingAuthenticationTypeAndHeader_ItReturnsApiKeyNotAuthorized()
+            {
+                // Arrange
+                var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
+                {
+                    AuthenticationMode = AuthenticationMode.Passive,
+                    AuthenticationType = "blarg"
+                });
+                handler.OwinContext.Response.StatusCode = 401;
+                handler.OwinContext.Authentication.AuthenticationResponseChallenge = 
+                    new AuthenticationResponseChallenge(new [] { "blarg" }, new AuthenticationProperties());
+                handler.OwinContext.Request.Headers[Constants.ApiKeyHeaderName] = "woozle wuzzle";
+
+                // Act
+                var message = handler.GetChallengeMessage();
+
+                // Assert
+                Assert.Equal(Strings.ApiKeyNotAuthorized, message);
+            }
+
+            [Fact]
+            public async Task GivenA401ResponseInActiveModeAndNoHeader_ItReturnsApiKeyRequired()
+            {
+                // Arrange
+                var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
+                {
+                    AuthenticationMode = AuthenticationMode.Active,
+                    AuthenticationType = "blarg"
+                });
+                handler.OwinContext.Response.StatusCode = 401;
+                handler.OwinContext.Authentication.AuthenticationResponseChallenge = 
+                    new AuthenticationResponseChallenge(new [] { "blarg" }, new AuthenticationProperties());
+
+                // Act
+                var message = handler.GetChallengeMessage();
+
+                // Assert
+                Assert.Equal(Strings.ApiKeyRequired, message);
+            }
+
+            [Fact]
+            public async Task GivenA401ResponseInActiveModeAndHeader_ItReturnsApiKeyNotAuthorized()
+            {
+                // Arrange
+                var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
+                {
+                    AuthenticationMode = AuthenticationMode.Active,
+                    AuthenticationType = "blarg"
+                });
+                handler.OwinContext.Response.StatusCode = 401;
+                handler.OwinContext.Authentication.AuthenticationResponseChallenge = 
+                    new AuthenticationResponseChallenge(new [] { "blarg" }, new AuthenticationProperties());
+                handler.OwinContext.Request.Headers[Constants.ApiKeyHeaderName] = "woozle wuzzle";
+
+                // Act
+                var message = handler.GetChallengeMessage();
+
+                // Assert
+                Assert.Equal(Strings.ApiKeyNotAuthorized, message);
+            }
+        }
+
+        public class TheAuthenticateCoreAsyncMethod
+        {
+            [Fact]
+            public async Task GivenANonMatchingPath_ItReturnsNull()
+            {
+                // Arrange
+                var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
+                {
+                    RootPath = "/api"
+                });
+                handler.OwinContext.Request.Path = "/packages";
+                
+                // Act
+                var ticket = await handler.InvokeAuthenticateCoreAsync();
+                
+                // Assert
+                Assert.Null(ticket);
+            }
+
+            [Fact]
+            public async Task GivenNoApiKeyHeader_ItReturnsNull()
+            {
+                // Arrange
+                TestableApiKeyAuthenticationHandler handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
+                {
+                    RootPath = "/api"
+                });
+                handler.OwinContext.Request.Path = "/api/v2/packages";
+                
+                // Act
+                var ticket = await handler.InvokeAuthenticateCoreAsync();
+
+                // Assert
+                Assert.Null(ticket);
+            }
+
+            [Fact]
+            public async Task GivenNoUserMatchingApiKey_ItReturnsNull()
+            {
+                // Arrange
+                Guid apiKey = Guid.NewGuid();
+                TestableApiKeyAuthenticationHandler handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
+                {
+                    RootPath = "/api"
+                });
+                handler.OwinContext.Request.Path = "/api/v2/packages";
+                handler.OwinContext.Request.Headers.Set(
+                    Constants.ApiKeyHeaderName, 
+                    apiKey.ToString().ToLowerInvariant());
+
+                // Act
+                var ticket = await handler.InvokeAuthenticateCoreAsync();
+
+                // Assert
+                Assert.Null(ticket);
+            }
+
+            [Fact]
+            public async Task GivenMatchingApiKey_ItReturnsTicketWithUserNameAndRoles()
+            {
+                // Arrange
+                Guid apiKey = Guid.NewGuid();
+                var user = new User() { Username = "theUser", EmailAddress = "confirmed@example.com" };
+                TestableApiKeyAuthenticationHandler handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
+                {
+                    RootPath = "/api"
+                });
+                handler.OwinContext.Request.Path = "/api/v2/packages";
+                handler.OwinContext.Request.Headers.Set(
+                    Constants.ApiKeyHeaderName,
+                    apiKey.ToString().ToLowerInvariant());
+                handler.MockAuth.SetupAuth(CredentialBuilder.CreateV1ApiKey(apiKey), user);
+
+                // Act
+                var ticket = await handler.InvokeAuthenticateCoreAsync();
+
+                // Assert
+                Assert.NotNull(ticket);
+                Assert.Equal(apiKey.ToString().ToLower(), ticket.Identity.GetClaimOrDefault(NuGetClaims.ApiKey));
+            }
+
+            [Fact]
+            public async Task GivenMatchingApiKey_ItSetsUserInOwinEnvironment()
+            {
+                // Arrange
+                Guid apiKey = Guid.NewGuid();
+                var user = new User() { Username = "theUser", EmailAddress = "confirmed@example.com" };
+                TestableApiKeyAuthenticationHandler handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
+                {
+                    RootPath = "/api"
+                });
+                handler.OwinContext.Request.Path = "/api/v2/packages";
+                handler.OwinContext.Request.Headers.Set(
+                    Constants.ApiKeyHeaderName,
+                    apiKey.ToString().ToLowerInvariant());
+                handler.MockAuth.SetupAuth(CredentialBuilder.CreateV1ApiKey(apiKey), user);
+
+                // Act
+                await handler.InvokeAuthenticateCoreAsync();
+
+                // Assert
+                var authUser = Assert.IsType<AuthenticatedUser>(
+                    handler.OwinContext.Environment[Constants.CurrentUserOwinEnvironmentKey]);
+                Assert.Same(user, authUser.User);
+            }
+        }
+
+        // Why a TestableNNN class? Because we need to access protected members.
+        public class TestableApiKeyAuthenticationHandler : ApiKeyAuthenticationHandler
+        {
+            public Mock<AuthenticationService> MockAuth { get; private set; }
+            public Mock<ILogger> MockLogger { get; private set; }
+            public IOwinContext OwinContext { get { return base.Context; } }
+
+            private TestableApiKeyAuthenticationHandler()
+            {
+                Logger = (MockLogger = new Mock<ILogger>()).Object;
+                Auth = (MockAuth = new Mock<AuthenticationService>()).Object;
+            }
+
+            public static Task<TestableApiKeyAuthenticationHandler> CreateAsync()
+            {
+                return CreateAsync(new ApiKeyAuthenticationOptions());
+            }
+
+            public static async Task<TestableApiKeyAuthenticationHandler> CreateAsync(ApiKeyAuthenticationOptions options)
+            {
+                // Always use passive mode for tests
+                options.AuthenticationMode = AuthenticationMode.Passive;
+
+                var handler = new TestableApiKeyAuthenticationHandler();
+
+                var ctxt = Fakes.CreateOwinContext();
+
+                // Grr, have to make an internal call to initialize...
+                await (Task)(typeof(AuthenticationHandler<ApiKeyAuthenticationOptions>)
+                    .InvokeMember(
+                        "Initialize",
+                        BindingFlags.NonPublic | BindingFlags.Instance | BindingFlags.InvokeMethod,
+                        Type.DefaultBinder,
+                        handler,
+                        new object[] { options, ctxt }));
+                return handler;
+            }
+
+            public Task<AuthenticationTicket> InvokeAuthenticateCoreAsync()
+            {
+                return AuthenticateCoreAsync();
+            }
+        }
+    }
+}
diff --git a/tests/NuGetGallery.Facts/Authentication/AuthenticationServiceFacts.cs b/tests/NuGetGallery.Facts/Authentication/AuthenticationServiceFacts.cs
new file mode 100644
index 0000000000..0ac72ab217
--- /dev/null
+++ b/tests/NuGetGallery.Facts/Authentication/AuthenticationServiceFacts.cs
@@ -0,0 +1,730 @@
+using System;
+using System.Collections.Generic;
+using System.Globalization;
+using System.Linq;
+using System.Security.Claims;
+using System.Text;
+using System.Threading.Tasks;
+using Microsoft.Owin;
+using Microsoft.Owin.Security;
+using Moq;
+using NuGetGallery.Configuration;
+using NuGetGallery.Framework;
+using Xunit;
+
+namespace NuGetGallery.Authentication
+{
+    public class AuthenticationServiceFacts
+    {
+        public static bool VerifyPasswordHash(string hash, string algorithm, string password)
+        {
+            bool canAuthenticate = CryptographyService.ValidateSaltedHash(
+                hash,
+                password,
+                algorithm);
+
+            bool sanity = CryptographyService.ValidateSaltedHash(
+                hash,
+                "not_the_password",
+                algorithm);
+
+            return canAuthenticate && !sanity;
+        }
+
+        public class TheAuthenticateMethod : TestContainer
+        {
+            [Fact]
+            public void GivenNoUserWithName_ItReturnsNull()
+            {
+                // Arrange
+                var service = Get<AuthenticationService>();
+
+                // Act
+                var result = service.Authenticate("notARealUser", "password");
+
+                // Assert
+                Assert.Null(result);
+            }
+
+            [Fact]
+            public void GivenUserNameDoesNotMatchPassword_ItReturnsNull()
+            {
+                // Arrange
+                var service = Get<AuthenticationService>();
+
+                // Act
+                var result = service.Authenticate(Fakes.User.Username, "bogus password!!");
+
+                // Assert
+                Assert.Null(result);
+            }
+
+            [Fact]
+            public void GivenUserNameWithMatchingPasswordCredential_ItReturnsAuthenticatedUser()
+            {
+                // Arrange
+                var service = Get<AuthenticationService>();
+
+                // Act
+                var result = service.Authenticate(Fakes.User.Username, Fakes.Password);
+
+                // Assert
+                var expectedCred = Fakes.User.Credentials.SingleOrDefault(
+                    c => String.Equals(c.Type, CredentialTypes.Password.Pbkdf2, StringComparison.OrdinalIgnoreCase));
+                Assert.NotNull(result);
+                Assert.Same(Fakes.User, result.User);
+                Assert.Same(expectedCred, result.CredentialUsed);
+            }
+
+            // We don't normally test exception conditions, but it's really important that
+            // this overload is NOT used for Passwords since every call to generate a Password Credential
+            // uses a new Salt and thus produces a value that cannot be looked up in the DB. Instead,
+            // we must look up the user and then verify the salted password hash.
+            [Fact]
+            public void GivenPasswordCredential_ItThrowsArgumentException()
+            {
+                // Arrange
+                var service = Get<AuthenticationService>();
+                var cred = CredentialBuilder.CreatePbkdf2Password("bogus");
+
+                // Act
+                var ex = Assert.Throws<ArgumentException>(() =>
+                    service.Authenticate(cred));
+
+                // Assert
+                Assert.Equal(Strings.PasswordCredentialsCannotBeUsedHere + Environment.NewLine + "Parameter name: credential", ex.Message);
+                Assert.Equal("credential", ex.ParamName);
+            }
+
+            [Fact]
+            public void GivenInvalidApiKeyCredential_ItReturnsNull()
+            {
+                // Arrange
+                var service = Get<AuthenticationService>();
+
+                // Act
+                var result = service.Authenticate(CredentialBuilder.CreateV1ApiKey());
+
+                // Assert
+                Assert.Null(result);
+            }
+
+            [Fact]
+            public void GivenMatchingApiKeyCredential_ItReturnsTheUserAndMatchingCredential()
+            {
+                // Arrange
+                var service = Get<AuthenticationService>();
+                var cred = Fakes.User.Credentials.Single(
+                    c => String.Equals(c.Type, CredentialTypes.ApiKeyV1, StringComparison.OrdinalIgnoreCase));
+                
+                // Act
+                // Create a new credential to verify that it's a value-based lookup!
+                var result = service.Authenticate(CredentialBuilder.CreateV1ApiKey(Guid.Parse(cred.Value)));
+
+                // Assert
+                Assert.NotNull(result);
+                Assert.Same(Fakes.User, result.User);
+                Assert.Same(cred, result.CredentialUsed);
+            }
+
+            [Fact]
+            public void GivenMultipleMatchingCredentials_ItThrows()
+            {
+                // Arrange
+                var service = Get<AuthenticationService>();
+                var entities = Get<IEntitiesContext>();
+                var cred = CredentialBuilder.CreateV1ApiKey();
+                cred.Key = 42;
+                var creds = entities.Set<Credential>();
+                creds.Add(cred);
+                creds.Add(CredentialBuilder.CreateV1ApiKey(Guid.Parse(cred.Value)));
+
+                // Act
+                var ex = Assert.Throws<InvalidOperationException>(() => service.Authenticate(CredentialBuilder.CreateV1ApiKey(Guid.Parse(cred.Value))));
+
+                // Assert
+                Assert.Equal(String.Format(
+                    CultureInfo.CurrentCulture,
+                    Strings.MultipleMatchingCredentials,
+                    cred.Type,
+                    cred.Key), ex.Message);
+            }
+
+            [Fact]
+            public void GivenOnlyASHA1PasswordItAuthenticatesUserAndReplacesItWithAPBKDF2Password()
+            {
+                var user = Fakes.CreateUser("tempUser", CredentialBuilder.CreateSha1Password("thePassword"));
+                var service = Get<AuthenticationService>();
+                service.Entities.Users.Add(user);
+
+                var foundByUserName = service.Authenticate("tempUser", "thePassword");
+
+                var cred = foundByUserName.User.Credentials.Single();
+                Assert.Same(user, foundByUserName.User);
+                Assert.Equal(CredentialTypes.Password.Pbkdf2, cred.Type);
+                Assert.True(CryptographyService.ValidateSaltedHash(cred.Value, "thePassword", Constants.PBKDF2HashAlgorithmId));
+                service.Entities.VerifyCommitChanges();
+            }
+
+            [Fact]
+            public void GivenASHA1AndAPBKDF2PasswordItAuthenticatesUserAndRemovesTheSHA1Password()
+            {
+                var user = Fakes.CreateUser("tempUser", 
+                    CredentialBuilder.CreateSha1Password("thePassword"),
+                    CredentialBuilder.CreatePbkdf2Password("thePassword"));
+                var service = Get<AuthenticationService>();
+                service.Entities.Users.Add(user);
+
+                var foundByUserName = service.Authenticate("tempUser", "thePassword");
+
+                var cred = foundByUserName.User.Credentials.Single();
+                Assert.Same(user, foundByUserName.User);
+                Assert.Equal(CredentialTypes.Password.Pbkdf2, cred.Type);
+                Assert.True(CryptographyService.ValidateSaltedHash(cred.Value, "thePassword", Constants.PBKDF2HashAlgorithmId));
+                service.Entities.VerifyCommitChanges();
+            }
+        }
+
+        public class TheCreateSessionMethod : TestContainer
+        {
+            [Fact]
+            public void GivenAUser_ItCreatesAnOwinAuthenticationTicketForTheUser()
+            {
+                // Arrange
+                var service = Get<AuthenticationService>();
+                var context = Fakes.CreateOwinContext();
+                
+                var passwordCred = Fakes.Admin.Credentials.SingleOrDefault(
+                    c => String.Equals(c.Type, CredentialTypes.Password.Pbkdf2, StringComparison.OrdinalIgnoreCase));
+
+                var authUser = new AuthenticatedUser(Fakes.Admin, passwordCred);
+
+                // Act
+                service.CreateSession(context, authUser.User, AuthenticationTypes.Password);
+
+                // Assert
+                var principal = context.Authentication.AuthenticationResponseGrant.Principal;
+                var id = principal.Identity;
+                Assert.NotNull(principal);
+                Assert.NotNull(id);
+                Assert.Equal(Fakes.Admin.Username, id.Name);
+                Assert.Equal(Fakes.Admin.Username, principal.GetClaimOrDefault(ClaimTypes.NameIdentifier));
+                Assert.Equal(AuthenticationTypes.Password, id.AuthenticationType);
+                Assert.True(principal.IsInRole(Constants.AdminRoleName));
+            }
+        }
+
+        public class TheChangePasswordMethod : TestContainer
+        {
+            [Fact]
+            public void ReturnsFalseIfUserIsNotFound()
+            {
+                // Arrange
+                var service = Get<AuthenticationService>();
+                
+                // Act
+                var changed = service.ChangePassword("totallyNotARealUser", "oldpwd", "newpwd");
+
+                // Assert
+                Assert.False(changed);
+            }
+
+            [Fact]
+            public void ReturnsFalseIfPasswordDoesNotMatchUser_SHA1()
+            {
+                // Arrange
+                var service = Get<AuthenticationService>();
+                var user = Fakes.CreateUser("tempUser", 
+                    CredentialBuilder.CreateSha1Password("oldpwd"));
+                service.Entities
+                    .Set<User>()
+                    .Add(user);
+
+                // Act
+                var changed = service.ChangePassword(user.Username, "not_the_password", "newpwd");
+
+                // Assert
+                Assert.False(changed);
+            }
+
+            [Fact]
+            public void ReturnsFalseIfPasswordDoesNotMatchUser_PBKDF2()
+            {
+                // Arrange
+                var service = Get<AuthenticationService>();
+                var user = Fakes.CreateUser("tempUser",
+                    CredentialBuilder.CreatePbkdf2Password("oldpwd"));
+                service.Entities
+                    .Set<User>()
+                    .Add(user);
+
+                // Act
+                var changed = service.ChangePassword(user.Username, "not_the_password", "newpwd");
+
+                // Assert
+                Assert.False(changed);
+            }
+
+            [Fact]
+            public void ReturnsTrueWhenSuccessful()
+            {
+                // Arrange
+                var service = Get<AuthenticationService>();
+                var user = Fakes.CreateUser(
+                    "tempUser",
+                    CredentialBuilder.CreateSha1Password("oldpwd"));
+                service.Entities
+                    .Set<User>()
+                    .Add(user);
+
+                // Act
+                var changed = service.ChangePassword(user.Username, "oldpwd", "newpwd");
+
+                // Assert
+                Assert.True(changed);
+            }
+
+            [Fact]
+            public void UpdatesThePasswordCredential()
+            {
+                // Arrange
+                var service = Get<AuthenticationService>();
+                var user = Fakes.CreateUser(
+                    "tempUser",
+                    CredentialBuilder.CreatePbkdf2Password("oldpwd"));
+                service.Entities
+                    .Set<User>()
+                    .Add(user);
+                
+                // Act
+                var changed = service.ChangePassword(user.Username, "oldpwd", "newpwd");
+
+                // Assert
+                var cred = user.Credentials.Single();
+                Assert.Equal(CredentialTypes.Password.Pbkdf2, cred.Type);
+                Assert.True(VerifyPasswordHash(cred.Value, Constants.PBKDF2HashAlgorithmId, "newpwd"));
+                service.Entities.VerifyCommitChanges();
+            }
+
+            [Fact]
+            public void MigratesPasswordIfHashAlgorithmIsNotPBKDF2()
+            {
+                // Arrange
+                var service = Get<AuthenticationService>();
+                var user = Fakes.CreateUser(
+                    "tempUser",
+                    CredentialBuilder.CreateSha1Password("oldpwd"));
+                service.Entities
+                    .Set<User>()
+                    .Add(user);
+
+                // Act
+                var changed = service.ChangePassword(user.Username, "oldpwd", "newpwd");
+
+                // Assert
+                var cred = user.Credentials.Single(c => c.Type.StartsWith(CredentialTypes.Password.Prefix, StringComparison.OrdinalIgnoreCase));
+                Assert.Equal(CredentialTypes.Password.Pbkdf2, cred.Type);
+                Assert.True(VerifyPasswordHash(cred.Value, Constants.PBKDF2HashAlgorithmId, "newpwd"));
+                service.Entities.VerifyCommitChanges();
+            }
+        }
+
+        public class TheRegisterMethod : TestContainer
+        {
+            [Fact]
+            public void WillThrowIfTheUsernameIsAlreadyInUse()
+            {
+                // Arrange
+                var auth = Get<AuthenticationService>();
+
+                // Act
+                var ex = Assert.Throws<EntityException>(() =>
+                    auth.Register(
+                        Fakes.User.Username,
+                        "thePassword",
+                        "theEmailAddress"));
+
+                // Assert
+                Assert.Equal(String.Format(Strings.UsernameNotAvailable, Fakes.User.Username), ex.Message);
+            }
+
+            [Fact]
+            public void WillThrowIfTheEmailAddressIsAlreadyInUse()
+            {
+                // Arrange
+                var auth = Get<AuthenticationService>();
+
+                // Act
+                var ex = Assert.Throws<EntityException>(
+                    () =>
+                    auth.Register(
+                        "theUsername",
+                        "thePassword",
+                        Fakes.User.EmailAddress));
+                
+                // Assert
+                Assert.Equal(String.Format(Strings.EmailAddressBeingUsed, Fakes.User.EmailAddress), ex.Message);
+            }
+
+            [Fact]
+            public void WillHashThePasswordWithPBKDF2()
+            {
+                // Arrange
+                var auth = Get<AuthenticationService>();
+
+                // Act
+                var authUser = auth.Register(
+                    "aNewUser",
+                    "thePassword",
+                    "theEmailAddress");
+
+                // Assert
+                Credential matched;
+                Assert.True(AuthenticationService.ValidatePasswordCredential(authUser.User.Credentials, "thePassword", out matched));
+                Assert.Equal(CredentialTypes.Password.Pbkdf2, matched.Type);
+            }
+
+            [Fact]
+            public void WillSaveTheNewUser()
+            {
+                // Arrange
+                var auth = Get<AuthenticationService>();
+
+                // Arrange
+                var authUser = auth.Register(
+                    "theUsername",
+                    "thePassword",
+                    "theEmailAddress");
+
+                // Assert
+                Assert.True(auth.Entities.Users.Contains(authUser.User));
+                auth.Entities.VerifyCommitChanges();
+            }
+
+            [Fact]
+            public void WillSaveTheNewUserAsConfirmedWhenConfigured()
+            {
+                // Arrange
+                var auth = Get<AuthenticationService>();
+                GetMock<IAppConfiguration>()
+                    .Setup(x => x.ConfirmEmailAddresses)
+                    .Returns(false);
+
+                // Act
+                var authUser = auth.Register(
+                    "theUsername",
+                    "thePassword",
+                    "theEmailAddress");
+
+                // Assert
+                Assert.True(auth.Entities.Users.Contains(authUser.User));
+                Assert.True(authUser.User.Confirmed);
+                auth.Entities.VerifyCommitChanges();
+            }
+
+            [Fact]
+            public void SetsAnApiKey()
+            {
+                // Arrange
+                var auth = Get<AuthenticationService>();
+
+                // Arrange
+                var authUser = auth.Register(
+                    "theUsername",
+                    "thePassword",
+                    "theEmailAddress");
+
+                // Assert
+                Assert.True(auth.Entities.Users.Contains(authUser.User));
+                auth.Entities.VerifyCommitChanges();
+
+                var apiKeyCred = authUser.User.Credentials.FirstOrDefault(c => c.Type == CredentialTypes.ApiKeyV1);
+                Assert.NotNull(apiKeyCred);
+            }
+
+            [Fact]
+            public void SetsAConfirmationToken()
+            {
+                // Arrange
+                var auth = Get<AuthenticationService>();
+                GetMock<IAppConfiguration>()
+                    .Setup(c => c.ConfirmEmailAddresses)
+                    .Returns(true);
+
+                // Arrange
+                var authUser = auth.Register(
+                    "theUsername",
+                    "thePassword",
+                    "theEmailAddress");
+
+                // Assert
+                Assert.True(auth.Entities.Users.Contains(authUser.User));
+                auth.Entities.VerifyCommitChanges();
+
+                Assert.NotNull(authUser.User.EmailConfirmationToken);
+                Assert.False(authUser.User.Confirmed);
+            }
+
+            [Fact]
+            public void SetsCreatedDate()
+            {
+                // Arrange
+                var auth = Get<AuthenticationService>();
+
+                // Arrange
+                var authUser = auth.Register(
+                    "theUsername",
+                    "thePassword",
+                    "theEmailAddress");
+
+                // Assert
+                Assert.True(auth.Entities.Users.Contains(authUser.User));
+                auth.Entities.VerifyCommitChanges();
+
+                // Allow for up to 5 secs of time to have elapsed between Create call and now. Should be plenty
+                Assert.True((DateTime.UtcNow - authUser.User.CreatedUtc) < TimeSpan.FromSeconds(5));
+            }
+        }
+
+        public class TheReplaceCredentialMethod : TestContainer
+        {
+            [Fact]
+            public void ThrowsExceptionIfNoUserWithProvidedUserName()
+            {
+                // Arrange
+                var service = Get<AuthenticationService>();
+                
+                // Act
+                var ex = Assert.Throws<InvalidOperationException>(() =>
+                    service.ReplaceCredential("definitelyNotARealUser", new Credential()));
+
+                // Assert
+                Assert.Equal(Strings.UserNotFound, ex.Message);
+            }
+
+            [Fact]
+            public void AddsNewCredentialIfNoneWithSameTypeForUser()
+            {
+                // Arrange
+                var existingCred = new Credential("foo", "bar");
+                var newCred = new Credential("baz", "boz");
+                var user = Fakes.CreateUser("foo", existingCred);
+                var service = Get<AuthenticationService>();
+                service.Entities.Users.Add(user);
+
+                // Act
+                service.ReplaceCredential(user.Username, newCred);
+
+                // Assert
+                Assert.Equal(new[] { existingCred, newCred }, user.Credentials.ToArray());
+                service.Entities.VerifyCommitChanges();
+            }
+
+            [Fact]
+            public void ReplacesExistingCredentialIfOneWithSameTypeExistsForUser()
+            {
+                // Arrange
+                var frozenCred = new Credential("foo", "bar");
+                var existingCred = new Credential("baz", "bar");
+                var newCred = new Credential("baz", "boz");
+                var user = Fakes.CreateUser("foo", existingCred, frozenCred);
+                var service = Get<AuthenticationService>();
+                service.Entities.Users.Add(user);
+
+                // Act
+                service.ReplaceCredential(user.Username, newCred);
+
+                // Assert
+                Assert.Equal(new[] { frozenCred, newCred }, user.Credentials.ToArray());
+                Assert.DoesNotContain(existingCred, service.Entities.Credentials);
+                service.Entities.VerifyCommitChanges();
+            }
+        }
+
+        public class TheResetPasswordWithTokenMethod : TestContainer
+        {
+            [Fact]
+            public void ReturnsFalseIfUserNotFound()
+            {
+                // Arrange
+                var authService = Get<AuthenticationService>();
+                
+                // Act
+                bool result = authService.ResetPasswordWithToken("definitelyAFakeUser", "some-token", "new-password");
+
+                // Assert
+                Assert.False(result);
+            }
+
+            [Fact]
+            public void ThrowsExceptionIfUserNotConfirmed()
+            {
+                // Arrange
+                var user = new User
+                {
+                    Username = "tempUser",
+                    PasswordResetToken = "some-token",
+                    PasswordResetTokenExpirationDate = DateTime.UtcNow.AddDays(1)
+                };
+                var authService = Get<AuthenticationService>();
+                authService.Entities.Users.Add(user);
+
+                // Act/Assert
+                Assert.Throws<InvalidOperationException>(() => authService.ResetPasswordWithToken("tempUser", "some-token", "new-password"));
+            }
+
+            [Fact]
+            public void ResetsPasswordCredential()
+            {
+                // Arrange
+                var oldCred = CredentialBuilder.CreatePbkdf2Password("thePassword");
+                var user = new User
+                {
+                    Username = "user",
+                    EmailAddress = "confirmed@example.com",
+                    PasswordResetToken = "some-token",
+                    PasswordResetTokenExpirationDate = DateTime.UtcNow.AddDays(1),
+                    Credentials = new List<Credential>() { oldCred }
+                };
+
+                var authService = Get<AuthenticationService>();
+                authService.Entities.Users.Add(user);
+
+                // Act
+                bool result = authService.ResetPasswordWithToken("user", "some-token", "new-password");
+
+                // Assert
+                Assert.True(result);
+                var newCred = user.Credentials.Single();
+                Assert.Equal(CredentialTypes.Password.Pbkdf2, newCred.Type);
+                Assert.True(VerifyPasswordHash(newCred.Value, Constants.PBKDF2HashAlgorithmId, "new-password"));
+                authService.Entities.VerifyCommitChanges();
+            }
+
+            [Fact]
+            public void ResetsPasswordMigratesPasswordHash()
+            {
+                var oldCred = CredentialBuilder.CreateSha1Password("thePassword");
+                var user = new User
+                {
+                    Username = "user",
+                    EmailAddress = "confirmed@example.com",
+                    PasswordResetToken = "some-token",
+                    PasswordResetTokenExpirationDate = DateTime.UtcNow.AddDays(1),
+                    Credentials = new List<Credential>() { oldCred }
+                };
+
+                var authService = Get<AuthenticationService>();
+                authService.Entities.Users.Add(user);
+
+                bool result = authService.ResetPasswordWithToken("user", "some-token", "new-password");
+
+                // Assert
+                Assert.True(result);
+                var newCred = user.Credentials.Single();
+                Assert.Equal(CredentialTypes.Password.Pbkdf2, newCred.Type);
+                Assert.True(VerifyPasswordHash(newCred.Value, Constants.PBKDF2HashAlgorithmId, "new-password"));
+                authService.Entities.VerifyCommitChanges();
+            }
+        }
+
+        public class TheGeneratePasswordResetTokenMethod : TestContainer
+        {
+            [Fact]
+            public void ReturnsNullIfEmailIsNotFound()
+            {
+                // Arrange
+                var authService = Get<AuthenticationService>();
+
+                // Act
+                var token = authService.GeneratePasswordResetToken("nobody@nowhere.com", 1440);
+
+                // Assert
+                Assert.Null(token);
+            }
+
+            [Fact]
+            public void ThrowsExceptionIfUserIsNotConfirmed()
+            {
+                // Arrange
+                var user = new User("user") { UnconfirmedEmailAddress = "unique@example.com" };
+                var authService = Get<AuthenticationService>();
+                authService.Entities.Users.Add(user);
+
+                // Act/Assert
+                Assert.Throws<InvalidOperationException>(() => authService.GeneratePasswordResetToken(user.Username, 1440));
+            }
+
+            [Fact]
+            public void SetsPasswordResetTokenUsingEmail()
+            {
+                // Arrange
+                var user = new User
+                {
+                    Username = "user",
+                    EmailAddress = "unique@example.com",
+                    PasswordResetToken = null
+                };
+                var authService = Get<AuthenticationService>();
+                authService.Entities.Users.Add(user);
+                var currentDate = DateTime.UtcNow;
+
+                // Act
+                var returnedUser = authService.GeneratePasswordResetToken(user.EmailAddress, 1440);
+
+                // Assert
+                Assert.Same(user, returnedUser);
+                Assert.NotNull(user.PasswordResetToken);
+                Assert.NotEmpty(user.PasswordResetToken);
+                Assert.True(user.PasswordResetTokenExpirationDate >= currentDate.AddMinutes(1440));
+            }
+
+            [Fact]
+            public void WithExistingNotYetExpiredTokenReturnsExistingToken()
+            {
+                // Arrange
+                var user = new User
+                {
+                    Username = "user",
+                    EmailAddress = "unique@example.com",
+                    PasswordResetToken = "existing-token",
+                    PasswordResetTokenExpirationDate = DateTime.UtcNow.AddDays(1)
+                };
+                var authService = Get<AuthenticationService>();
+                authService.Entities.Users.Add(user);
+
+                // Act
+                var returnedUser = authService.GeneratePasswordResetToken(user.EmailAddress, 1440);
+
+                // Assert
+                Assert.Same(user, returnedUser);
+                Assert.Equal("existing-token", user.PasswordResetToken);
+            }
+
+            [Fact]
+            public void WithExistingExpiredTokenReturnsNewToken()
+            {
+                // Arrange
+                var user = new User
+                {
+                    Username = "user",
+                    EmailAddress = "unique@example.com",
+                    PasswordResetToken = "existing-token",
+                    PasswordResetTokenExpirationDate = DateTime.UtcNow.AddMilliseconds(-1)
+                };
+                var authService = Get<AuthenticationService>();
+                authService.Entities.Users.Add(user);
+                var currentDate = DateTime.UtcNow;
+
+                // Act
+                var returnedUser = authService.GeneratePasswordResetToken(user.EmailAddress, 1440);
+
+                // Assert
+                Assert.Same(user, returnedUser);
+                Assert.NotEmpty(user.PasswordResetToken);
+                Assert.NotEqual("existing-token", user.PasswordResetToken);
+                Assert.True(user.PasswordResetTokenExpirationDate >= currentDate.AddMinutes(1440));
+            }
+        }
+    }
+}
\ No newline at end of file
diff --git a/tests/NuGetGallery.Facts/Authentication/ForceSslWhenAuthenticatedMiddlewareFacts.cs b/tests/NuGetGallery.Facts/Authentication/ForceSslWhenAuthenticatedMiddlewareFacts.cs
new file mode 100644
index 0000000000..cc031d6ec5
--- /dev/null
+++ b/tests/NuGetGallery.Facts/Authentication/ForceSslWhenAuthenticatedMiddlewareFacts.cs
@@ -0,0 +1,147 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Claims;
+using System.Text;
+using System.Threading.Tasks;
+using Microsoft.Owin;
+using Microsoft.Owin.Builder;
+using Microsoft.Owin.Security;
+using Moq;
+using NuGetGallery.Framework;
+using Xunit;
+
+namespace NuGetGallery.Authentication
+{
+    public class ForceSslWhenAuthenticatedMiddlewareFacts
+    {
+        [Fact]
+        public async Task GivenAForceSslCookieAndNonSslRequest_ItRedirectsToSSL()
+        {
+            // Arrange
+            var context = Fakes.CreateOwinContext();
+            var next = Fakes.CreateOwinMiddleware();
+            var app = new AppBuilder();
+            context.Request
+                .SetUrl("http://nuget.local/foo/bar/baz?qux=qooz")
+                .SetCookie("ForceSSL", "bogus");
+            var middleware = new ForceSslWhenAuthenticatedMiddleware(next.Object, app, "ForceSSL", 443);
+
+            // Act
+            await middleware.Invoke(context);
+
+            // Assert
+            next.Verify(n => n.Invoke(It.IsAny<IOwinContext>()), Times.Never());
+            OwinAssert.WillRedirect(context, "https://nuget.local/foo/bar/baz?qux=qooz");
+        }
+
+        [Fact]
+        public async Task GivenANonStandardSslPort_ItSpecifiesPortInUrl()
+        {
+            // Arrange
+            var context = Fakes.CreateOwinContext();
+            var next = Fakes.CreateOwinMiddleware();
+            var app = new AppBuilder();
+            context.Request
+                .SetUrl("http://nuget.local/foo/bar/baz?qux=qooz")
+                .SetCookie("ForceSSL", "bogus");
+            var middleware = new ForceSslWhenAuthenticatedMiddleware(next.Object, app, "ForceSSL", 44300);
+
+            // Act
+            await middleware.Invoke(context);
+
+            // Assert
+            next.Verify(n => n.Invoke(It.IsAny<IOwinContext>()), Times.Never());
+            OwinAssert.WillRedirect(context, "https://nuget.local:44300/foo/bar/baz?qux=qooz");
+        }
+
+        [Fact]
+        public async Task GivenAForceSslCookieAndSslRequest_ItPassesThrough()
+        {
+            // Arrange
+            var context = Fakes.CreateOwinContext();
+            var next = Fakes.CreateOwinMiddleware();
+            var app = new AppBuilder();
+            context.Request
+                .SetUrl("https://nuget.local/foo/bar/baz?qux=qooz")
+                .SetCookie("ForceSSL", "bogus");
+            var middleware = new ForceSslWhenAuthenticatedMiddleware(next.Object, app, "ForceSSL", 443);
+
+            // Act
+            await middleware.Invoke(context);
+
+            // Assert
+            next.Verify(n => n.Invoke(It.IsAny<IOwinContext>()));
+        }
+
+        [Fact]
+        public async Task GivenNoForceSslCookieAndNonSslRequest_ItPassesThrough()
+        {
+            // Arrange
+            var context = Fakes.CreateOwinContext();
+            var next = Fakes.CreateOwinMiddleware();
+            var app = new AppBuilder();
+            context.Request
+                .SetUrl("http://nuget.local/foo/bar/baz?qux=qooz");
+            var middleware = new ForceSslWhenAuthenticatedMiddleware(next.Object, app, "ForceSSL", 443);
+
+            // Act
+            await middleware.Invoke(context);
+
+            // Assert
+            next.Verify(n => n.Invoke(It.IsAny<IOwinContext>()));
+        }
+
+        [Fact]
+        public async Task GivenNextMiddlewareGrantsAuth_ItDropsForceSslCookie()
+        {
+            // Arrange
+            var context = Fakes.CreateOwinContext();
+            var next = Fakes.CreateOwinMiddleware();
+            var app = new AppBuilder();
+            var grant = new AuthenticationResponseGrant(new ClaimsIdentity(), new AuthenticationProperties());
+
+            next.Setup(n => n.Invoke(context))
+                .Returns<IOwinContext>(c =>
+                {
+                    c.Authentication.AuthenticationResponseGrant = grant;
+                    return Task.FromResult<object>(null);
+                });
+            context.Request
+                .SetUrl("http://nuget.local/foo/bar/baz?qux=qooz");
+            var middleware = new ForceSslWhenAuthenticatedMiddleware(next.Object, app, "ForceSSL", 443);
+
+            // Act
+            await middleware.Invoke(context);
+
+            // Assert
+            OwinAssert.SetsCookie(context.Response, "ForceSSL", "true");
+        }
+
+        [Fact]
+        public async Task GivenNextMiddlewareRevokesAuth_ItRemovesForceSslCookie()
+        {
+            // Arrange
+            var context = Fakes.CreateOwinContext();
+            var next = Fakes.CreateOwinMiddleware();
+            var app = new AppBuilder();
+            var revoke = new AuthenticationResponseRevoke(new string[0]);
+
+            next.Setup(n => n.Invoke(context))
+                .Returns<IOwinContext>(c =>
+                {
+                    c.Authentication.AuthenticationResponseRevoke = revoke;
+                    return Task.FromResult<object>(null);
+                });
+            context.Request
+                .SetUrl("http://nuget.local/foo/bar/baz?qux=qooz");
+            var middleware = new ForceSslWhenAuthenticatedMiddleware(next.Object, app, "ForceSSL", 443);
+
+            // Act
+            await middleware.Invoke(context);
+
+            // Assert
+            OwinAssert.DeletesCookie(context.Response, "ForceSSL");
+        }
+    }
+}
diff --git a/tests/NuGetGallery.Facts/Controllers/ApiControllerFacts.cs b/tests/NuGetGallery.Facts/Controllers/ApiControllerFacts.cs
index ee8dbc7cc3..950c2b526c 100644
--- a/tests/NuGetGallery.Facts/Controllers/ApiControllerFacts.cs
+++ b/tests/NuGetGallery.Facts/Controllers/ApiControllerFacts.cs
@@ -9,9 +9,11 @@
 using System.Web;
 using System.Web.Mvc;
 using System.Web.Routing;
+using Microsoft.Owin;
 using Moq;
 using Newtonsoft.Json.Linq;
 using NuGet;
+using NuGetGallery.Authentication;
 using NuGetGallery.Framework;
 using NuGetGallery.Packaging;
 using Xunit;
@@ -29,11 +31,12 @@ class TestableApiController : ApiController
         public Mock<IContentService> MockContentService { get; private set; }
         public Mock<IStatisticsService> MockStatisticsService { get; private set; }
         public Mock<IIndexingService> MockIndexingService { get; private set; }
-
+        
         private INupkg PackageFromInputStream { get; set; }
 
         public TestableApiController(MockBehavior behavior = MockBehavior.Default)
         {
+            OwinContext = Fakes.CreateOwinContext();
             EntitiesContext = (MockEntitiesContext = new Mock<IEntitiesContext>()).Object;
             PackageService = (MockPackageService = new Mock<IPackageService>(behavior)).Object;
             UserService = (MockUserService = new Mock<IUserService>(behavior)).Object;
@@ -41,10 +44,12 @@ public TestableApiController(MockBehavior behavior = MockBehavior.Default)
             ContentService = (MockContentService = new Mock<IContentService>()).Object;
             StatisticsService = (MockStatisticsService = new Mock<IStatisticsService>()).Object;
             IndexingService = (MockIndexingService = new Mock<IIndexingService>()).Object;
-
+            
             MockPackageFileService = new Mock<IPackageFileService>(MockBehavior.Strict);
             MockPackageFileService.Setup(p => p.SavePackageFileAsync(It.IsAny<Package>(), It.IsAny<Stream>())).Returns(Task.FromResult(0));
             PackageFileService = MockPackageFileService.Object;
+
+            TestUtility.SetupHttpContextMockForUrlGeneration(new Mock<HttpContextBase>(), this);
         }
 
         internal void SetupPackageFromInputStream(Mock<INupkg> nuGetPackage)
@@ -69,15 +74,14 @@ public class TheCreatePackageAction
             public async Task CreatePackageWillSavePackageFileToFileStorage()
             {
                 // Arrange
-                var guid = Guid.NewGuid().ToString();
                 var user = new User() { EmailAddress = "confirmed@email.com" }; 
                 var userService = new Mock<IUserService>();
                 var packageRegistration = new PackageRegistration();
                 packageRegistration.Owners.Add(user);
 
                 var controller = new TestableApiController();
+                controller.SetCurrentUser(user);
                 controller.MockPackageFileService.Setup(p => p.SavePackageFileAsync(It.IsAny<Package>(), It.IsAny<Stream>())).Returns(Task.FromResult(0)).Verifiable();
-                controller.MockUserService.Setup(x => x.FindByApiKey(It.IsAny<Guid>())).Returns(user);
                 controller.MockPackageService.Setup(p => p.FindPackageRegistrationById(It.IsAny<string>())).Returns(packageRegistration);
 
                 var nuGetPackage = new Mock<INupkg>();
@@ -86,30 +90,12 @@ public async Task CreatePackageWillSavePackageFileToFileStorage()
                 controller.SetupPackageFromInputStream(nuGetPackage);
 
                 // Act
-                await controller.CreatePackagePut(guid);
+                await controller.CreatePackagePut();
 
                 // Assert
                 controller.MockPackageFileService.Verify();
             }
 
-            [Fact]
-            public void WillFindTheUserThatMatchesTheApiKey()
-            {
-                var nuGetPackage = new Mock<INupkg>();
-                nuGetPackage.Setup(x => x.Metadata.Id).Returns("theId");
-                nuGetPackage.Setup(x => x.Metadata.Version).Returns(new SemanticVersion("1.0.42"));
-
-                var controller = new TestableApiController();
-                controller.MockUserService.Setup(x => x.FindByApiKey(It.IsAny<Guid>())).Returns(new User());
-                controller.SetupPackageFromInputStream(nuGetPackage);
-
-                var apiKey = Guid.NewGuid();
-
-                controller.CreatePackagePut(apiKey.ToString());
-
-                controller.MockUserService.Verify(x => x.FindByApiKey(apiKey));
-            }
-
             [Fact]
             public async Task WillReturnConflictIfAPackageWithTheIdAndSameNormalizedVersionAlreadyExists()
             {
@@ -127,12 +113,12 @@ public async Task WillReturnConflictIfAPackageWithTheIdAndSameNormalizedVersionA
                 };
 
                 var controller = new TestableApiController();
+                controller.SetCurrentUser(new User());
                 controller.MockPackageService.Setup(x => x.FindPackageRegistrationById("theId")).Returns(packageRegistration);
-                controller.MockUserService.Setup(x => x.FindByApiKey(It.IsAny<Guid>())).Returns(user);
                 controller.SetupPackageFromInputStream(nuGetPackage);
 
                 // Act
-                var result = await controller.CreatePackagePut(Guid.NewGuid().ToString());
+                var result = await controller.CreatePackagePut();
 
                 // Assert
                 ResultAssert.IsStatusCode(
@@ -141,97 +127,19 @@ public async Task WillReturnConflictIfAPackageWithTheIdAndSameNormalizedVersionA
                     String.Format(Strings.PackageExistsAndCannotBeModified, "theId", "1.0.42"));
             }
 
-            [Fact]
-            public async Task WillFindUserUsingFindByApiKey()
-            {
-                var nuGetPackage = new Mock<INupkg>();
-                nuGetPackage.Setup(x => x.Metadata.Id).Returns("theId");
-                nuGetPackage.Setup(x => x.Metadata.Version).Returns(new SemanticVersion("1.0.42"));
-
-                var user = new User();
-                var apiKey = Guid.NewGuid();
-
-                var controller = new TestableApiController();
-                controller.MockUserService.Setup(x => x.FindByApiKey(apiKey)).Returns(user);
-                controller.SetupPackageFromInputStream(nuGetPackage);
-
-                ResultAssert.IsStatusCode(
-                    await controller.CreatePackagePut(apiKey.ToString()),
-                    HttpStatusCode.Created);
-
-                controller.MockPackageService.Verify(p =>
-                    p.CreatePackage(nuGetPackage.Object, user, true));
-            }
-
-            [Fact]
-            public async Task WillFindUserUsingAuthenticateCredential()
-            {
-                var nuGetPackage = new Mock<INupkg>();
-                nuGetPackage.Setup(x => x.Metadata.Id).Returns("theId");
-                nuGetPackage.Setup(x => x.Metadata.Version).Returns(new SemanticVersion("1.0.42"));
-
-                var user = new User();
-                var apiKey = Guid.NewGuid();
-
-                var controller = new TestableApiController();
-                controller.MockUserService.Setup(
-                    x => x.AuthenticateCredential(
-                        CredentialTypes.ApiKeyV1,
-                        apiKey.ToString().ToLowerInvariant()))
-                    .Returns(new Credential() { User = user });
-                controller.SetupPackageFromInputStream(nuGetPackage);
-
-                ResultAssert.IsStatusCode(
-                    await controller.CreatePackagePut(apiKey.ToString().ToUpperInvariant()), 
-                    HttpStatusCode.Created);
-
-                controller.MockPackageService.Verify(p =>
-                    p.CreatePackage(nuGetPackage.Object, user, true));
-            }
-
-            [Fact]
-            public async Task WillUseUserFoundByAuthenticateCredentialOverFindByApiKey()
-            {
-                var nuGetPackage = new Mock<INupkg>();
-                nuGetPackage.Setup(x => x.Metadata.Id).Returns("theId");
-                nuGetPackage.Setup(x => x.Metadata.Version).Returns(new SemanticVersion("1.0.42"));
-
-                var correctUser = new User();
-                var incorrectUser = new User();
-                var apiKey = Guid.NewGuid();
-
-                var controller = new TestableApiController();
-                controller.MockUserService
-                    .Setup(x => x.AuthenticateCredential(
-                        CredentialTypes.ApiKeyV1,
-                        apiKey.ToString().ToLowerInvariant()))
-                    .Returns(new Credential() { User = correctUser });
-                controller.MockUserService
-                    .Setup(x => x.FindByApiKey(apiKey))
-                    .Returns(incorrectUser);
-
-                controller.SetupPackageFromInputStream(nuGetPackage);
-
-                ResultAssert.IsStatusCode(
-                    await controller.CreatePackagePut(apiKey.ToString().ToUpperInvariant()),
-                    HttpStatusCode.Created);
-
-                controller.MockPackageService.Verify(p =>
-                    p.CreatePackage(nuGetPackage.Object, correctUser, true));
-            }
-
             [Fact]
             public void WillCreateAPackageFromTheNuGetPackage()
             {
                 var nuGetPackage = new Mock<INupkg>();
                 nuGetPackage.Setup(x => x.Metadata.Id).Returns("theId");
                 nuGetPackage.Setup(x => x.Metadata.Version).Returns(new SemanticVersion("1.0.42"));
-                var matchingUser = new User() { EmailAddress = "confirmed@email.com" }; 
+                var user = new User() { EmailAddress = "confirmed@email.com" }; 
                 var controller = new TestableApiController();
-                controller.MockUserService.Setup(x => x.FindByApiKey(It.IsAny<Guid>())).Returns(matchingUser);
+                var apiKey = Guid.NewGuid();
+                controller.SetCurrentUser(user);
                 controller.SetupPackageFromInputStream(nuGetPackage);
 
-                controller.CreatePackagePut(Guid.NewGuid().ToString());
+                controller.CreatePackagePut();
 
                 controller.MockPackageService.Verify(x => x.CreatePackage(nuGetPackage.Object, It.IsAny<User>(), true));
             }
@@ -242,14 +150,15 @@ public void WillCreateAPackageWithTheUserMatchingTheApiKey()
                 var nuGetPackage = new Mock<INupkg>();
                 nuGetPackage.Setup(x => x.Metadata.Id).Returns("theId");
                 nuGetPackage.Setup(x => x.Metadata.Version).Returns(new SemanticVersion("1.0.42"));
-                var matchingUser = new User() { EmailAddress = "confirmed@email.com" }; 
+                var user = new User() { EmailAddress = "confirmed@email.com" }; 
                 var controller = new TestableApiController();
-                controller.MockUserService.Setup(x => x.FindByApiKey(It.IsAny<Guid>())).Returns(matchingUser);
+                var apiKey = Guid.NewGuid();
+                controller.SetCurrentUser(user);
                 controller.SetupPackageFromInputStream(nuGetPackage);
 
-                controller.CreatePackagePut(Guid.NewGuid().ToString());
+                controller.CreatePackagePut();
 
-                controller.MockPackageService.Verify(x => x.CreatePackage(It.IsAny<INupkg>(), matchingUser, true));
+                controller.MockPackageService.Verify(x => x.CreatePackage(It.IsAny<INupkg>(), user, true));
             }
 
             [Fact]
@@ -259,16 +168,17 @@ public void CreatePackageRefreshesNuGetExeIfCommandLinePackageIsUploaded()
                 var nuGetPackage = new Mock<INupkg>();
                 nuGetPackage.Setup(x => x.Metadata.Id).Returns("NuGet.CommandLine");
                 nuGetPackage.Setup(x => x.Metadata.Version).Returns(new SemanticVersion("1.0.42"));
-                var matchingUser = new User() { EmailAddress = "confirmed@email.com" }; 
+                var user = new User() { EmailAddress = "confirmed@email.com" }; 
                 var controller = new TestableApiController();
+                var apiKey = Guid.NewGuid();
                 controller.MockPackageService.Setup(p => p.CreatePackage(nuGetPackage.Object, It.IsAny<User>(), true))
                           .Returns(new Package { IsLatestStable = true });
                 controller.MockNuGetExeDownloaderService.Setup(s => s.UpdateExecutableAsync(nuGetPackage.Object)).Verifiable();
-                controller.MockUserService.Setup(x => x.FindByApiKey(It.IsAny<Guid>())).Returns(matchingUser);
+                controller.SetCurrentUser(user);
                 controller.SetupPackageFromInputStream(nuGetPackage);
 
                 // Act
-                controller.CreatePackagePut(Guid.NewGuid().ToString());
+                controller.CreatePackagePut();
 
                 // Assert
                 controller.MockNuGetExeDownloaderService.Verify();
@@ -281,16 +191,17 @@ public void CreatePackageDoesNotRefreshNuGetExeIfItIsNotLatestStable()
                 var nuGetPackage = new Mock<INupkg>();
                 nuGetPackage.Setup(x => x.Metadata.Id).Returns("NuGet.CommandLine");
                 nuGetPackage.Setup(x => x.Metadata.Version).Returns(new SemanticVersion("2.0.0-alpha"));
-                var matchingUser = new User() { EmailAddress = "confirmed@email.com" }; 
+                var user = new User() { EmailAddress = "confirmed@email.com" }; 
                 var controller = new TestableApiController();
+                var apiKey = Guid.NewGuid();
                 controller.MockPackageService.Setup(p => p.CreatePackage(nuGetPackage.Object, It.IsAny<User>(), true))
                           .Returns(new Package { IsLatest = true, IsLatestStable = false });
                 controller.MockNuGetExeDownloaderService.Setup(s => s.UpdateExecutableAsync(nuGetPackage.Object)).Verifiable();
-                controller.MockUserService.Setup(x => x.FindByApiKey(It.IsAny<Guid>())).Returns(matchingUser);
+                controller.SetCurrentUser(user);
                 controller.SetupPackageFromInputStream(nuGetPackage);
 
                 // Act
-                controller.CreatePackagePut(Guid.NewGuid().ToString());
+                controller.CreatePackagePut();
 
                 // Assert
                 controller.MockNuGetExeDownloaderService.Verify(s => s.UpdateExecutableAsync(It.IsAny<INupkg>()), Times.Never());
@@ -299,32 +210,14 @@ public void CreatePackageDoesNotRefreshNuGetExeIfItIsNotLatestStable()
 
         public class TheDeletePackageAction
         {
-            [Fact]
-            public void WillThrowIfTheApiKeyDoesNotExist()
-            {
-                var controller = new TestableApiController();
-                controller.MockPackageService
-                    .Setup(p => p.FindPackageByIdAndVersion("theId", "1.0.42", true))
-                    .Returns(new Package());
-
-                var result = controller.DeletePackage(Guid.NewGuid().ToString(), "theId", "1.0.42");
-
-                Assert.IsType<HttpStatusCodeWithBodyResult>(result);
-                var statusCodeResult = (HttpStatusCodeWithBodyResult)result;
-                Assert.Equal(403, statusCodeResult.StatusCode);
-                Assert.Equal(String.Format(Strings.ApiKeyNotAuthorized, "delete"), statusCodeResult.StatusDescription);
-                controller.MockPackageService.Verify(x => x.MarkPackageUnlisted(It.IsAny<Package>(), true), Times.Never());
-            }
-
             [Fact]
             public void WillThrowIfAPackageWithTheIdAndSemanticVersionDoesNotExist()
             {
                 var controller = new TestableApiController();
-                var apiKey = Guid.NewGuid();
                 controller.MockPackageService.Setup(x => x.FindPackageByIdAndVersion("theId", "1.0.42", true)).Returns((Package)null);
-                controller.MockUserService.Setup(x => x.FindByApiKey(apiKey)).Returns(new User());
-
-                var result = controller.DeletePackage(apiKey.ToString(), "theId", "1.0.42");
+                controller.SetCurrentUser(new User());
+                
+                var result = controller.DeletePackage("theId", "1.0.42");
 
                 Assert.IsType<HttpStatusCodeWithBodyResult>(result);
                 var statusCodeResult = (HttpStatusCodeWithBodyResult)result;
@@ -336,17 +229,17 @@ public void WillThrowIfAPackageWithTheIdAndSemanticVersionDoesNotExist()
             [Fact]
             public void WillNotDeleteThePackageIfApiKeyDoesNotBelongToAnOwner()
             {
-                var owner = new User { Key = 1 };
+                var notOwner = new User { Key = 1 };
                 var package = new Package
                     {
                         PackageRegistration = new PackageRegistration { Owners = new[] { new User() } }
                     };
                 var apiKey = Guid.NewGuid();
                 var controller = new TestableApiController();
-                controller.MockUserService.Setup(x => x.FindByApiKey(apiKey)).Returns(owner);
+                controller.SetCurrentUser(notOwner);
                 controller.MockPackageService.Setup(x => x.FindPackageByIdAndVersion("theId", "1.0.42", true)).Returns(package);
                 
-                var result = controller.DeletePackage(apiKey.ToString(), "theId", "1.0.42");
+                var result = controller.DeletePackage("theId", "1.0.42");
 
                 Assert.IsType<HttpStatusCodeWithBodyResult>(result);
                 var statusCodeResult = (HttpStatusCodeWithBodyResult)result;
@@ -356,7 +249,7 @@ public void WillNotDeleteThePackageIfApiKeyDoesNotBelongToAnOwner()
             }
 
             [Fact]
-            public void WillUnlistThePackageIfApiKeyBelongsToAnOwnerUsingFindByApiKey()
+            public void WillUnlistThePackageIfApiKeyBelongsToAnOwner()
             {
                 var apiKey = Guid.NewGuid();
                 var owner = new User { Key = 1, ApiKey = apiKey };
@@ -366,93 +259,13 @@ public void WillUnlistThePackageIfApiKeyBelongsToAnOwnerUsingFindByApiKey()
                     };
                 var controller = new TestableApiController();
                 controller.MockPackageService.Setup(x => x.FindPackageByIdAndVersion(It.IsAny<string>(), It.IsAny<string>(), true)).Returns(package);
-                controller.MockUserService.Setup(x => x.FindByApiKey(apiKey)).Returns(owner);
-
-                ResultAssert.IsEmpty(controller.DeletePackage(apiKey.ToString(), "theId", "1.0.42"));
-
-                controller.MockPackageService.Verify(x => x.MarkPackageUnlisted(package, true));
-                controller.MockIndexingService.Verify(i => i.UpdatePackage(package));
-            }
-
-            [Fact]
-            public void WillUnlistThePackageIfApiKeyBelongsToAnOwnerUsingAuthenticateCredential()
-            {
-                var apiKey = Guid.NewGuid();
-                var owner = new Credential() { User = new User { Key = 1 } };
-                var package = new Package
-                {
-                    PackageRegistration = new PackageRegistration { Owners = new[] { new User(), owner.User } }
-                };
-                var controller = new TestableApiController();
-                controller.MockPackageService.Setup(x => x.FindPackageByIdAndVersion(It.IsAny<string>(), It.IsAny<string>(), true)).Returns(package);
-                controller.MockUserService
-                    .Setup(x => x.AuthenticateCredential(
-                        CredentialTypes.ApiKeyV1, 
-                        apiKey.ToString().ToLowerInvariant()))
-                    .Returns(owner);
-
-                ResultAssert.IsEmpty(controller.DeletePackage(apiKey.ToString(), "theId", "1.0.42"));
-
-                controller.MockPackageService.Verify(x => x.MarkPackageUnlisted(package, true));
-                controller.MockIndexingService.Verify(i => i.UpdatePackage(package));
-            }
-
-            [Fact]
-            public void WillUseUserFromAuthenticateCredentialOverFindByApiKey()
-            {
-                var apiKey = Guid.NewGuid();
-                var owner = new Credential() { User = new User { Key = 1 } };
-                var nonOwner = new User() { ApiKey = apiKey };
-                var package = new Package
-                {
-                    PackageRegistration = new PackageRegistration { Owners = new[] { new User(), owner.User } }
-                };
-                var controller = new TestableApiController();
-                controller.MockPackageService.Setup(x => x.FindPackageByIdAndVersion(It.IsAny<string>(), It.IsAny<string>(), true)).Returns(package);
-                controller.MockUserService.Setup(x => x.FindByApiKey(apiKey)).Returns(nonOwner);
-                controller.MockUserService
-                    .Setup(x => x.AuthenticateCredential(
-                        CredentialTypes.ApiKeyV1,
-                        apiKey.ToString().ToLowerInvariant()))
-                    .Returns(owner);
-
-                ResultAssert.IsEmpty(controller.DeletePackage(apiKey.ToString(), "theId", "1.0.42"));
+                controller.SetCurrentUser(owner);
+                
+                ResultAssert.IsEmpty(controller.DeletePackage("theId", "1.0.42"));
 
                 controller.MockPackageService.Verify(x => x.MarkPackageUnlisted(package, true));
                 controller.MockIndexingService.Verify(i => i.UpdatePackage(package));
             }
-
-            [Fact]
-            public void WillFailIfUserFromAuthenticateCredentialIsNotOwner()
-            {
-                // Arrange
-                var apiKey = Guid.NewGuid();
-                var nonOwner = new Credential() { User = new User { Key = 1 } };
-                var owner = new User() { ApiKey = apiKey };
-                var package = new Package
-                {
-                    PackageRegistration = new PackageRegistration { Owners = new[] { new User(), owner } }
-                };
-                var controller = new TestableApiController();
-                controller.MockPackageService.Setup(x => x.FindPackageByIdAndVersion(It.IsAny<string>(), It.IsAny<string>(), true)).Returns(package);
-                controller.MockUserService.Setup(x => x.FindByApiKey(apiKey)).Returns(owner);
-                controller.MockUserService
-                    .Setup(x => x.AuthenticateCredential(
-                        CredentialTypes.ApiKeyV1,
-                        apiKey.ToString().ToLowerInvariant()))
-                    .Returns(nonOwner);
-
-                // Act
-                var result = controller.DeletePackage(apiKey.ToString(), "theId", "1.0.42");
-
-                // Assert
-                ResultAssert.IsStatusCode(
-                    result,
-                    HttpStatusCode.Forbidden,
-                    String.Format(Strings.ApiKeyNotAuthorized, "delete"));
-
-                controller.MockPackageService.Verify(x => x.MarkPackageUnlisted(package, true), Times.Never());
-            }
         }
 
         public class TheGetPackageAction
@@ -479,11 +292,9 @@ public async Task GetPackageReturns400ForEvilPackageVersion()
             public async Task GetPackageReturns404IfPackageIsNotFound()
             {
                 // Arrange
-                var guid = Guid.NewGuid();
                 var controller = new TestableApiController(MockBehavior.Strict);
                 controller.MockPackageService.Setup(x => x.FindPackageByIdAndVersion("Baz", "1.0.1", false)).Returns((Package)null).Verifiable();
-                controller.MockUserService.Setup(x => x.FindByApiKey(guid)).Returns(new User());
-
+                
                 // Act
                 var result = await controller.GetPackage("Baz", "1.0.1");
 
@@ -499,7 +310,6 @@ public async Task GetPackageReturnsPackageIfItExists()
             {
                 // Arrange
                 const string PackageId = "Baz";
-                var guid = Guid.NewGuid();
                 var package = new Package() { Version = "1.0.01", NormalizedVersion = "1.0.1" };
                 var actionResult = new EmptyResult();
                 var controller = new TestableApiController(MockBehavior.Strict);
@@ -508,8 +318,7 @@ public async Task GetPackageReturnsPackageIfItExists()
                 controller.MockPackageFileService.Setup(s => s.CreateDownloadPackageActionResultAsync(HttpRequestUrl, PackageId, package.NormalizedVersion))
                               .Returns(Task.FromResult<ActionResult>(actionResult))
                               .Verifiable();
-                controller.MockUserService.Setup(x => x.FindByApiKey(guid)).Returns(new User());
-
+                
                 NameValueCollection headers = new NameValueCollection();
                 headers.Add("NuGet-Operation", "Install");
 
@@ -538,7 +347,6 @@ public async Task GetPackageReturnsPackageIfItExists()
             public async Task GetPackageReturnsSpecificPackageEvenIfDatabaseIsOffline()
             {
                 // Arrange
-                var guid = Guid.NewGuid();
                 var package = new Package();
                 var actionResult = new EmptyResult();
 
@@ -576,7 +384,6 @@ public async Task GetPackageReturnsLatestPackageIfNoVersionIsProvided()
             {
                 // Arrange
                 const string PackageId = "Baz";
-                var guid = Guid.NewGuid();
                 var package = new Package() { Version = "1.2.0408", NormalizedVersion = "1.2.408" };
                 var actionResult = new EmptyResult();
                 var controller = new TestableApiController(MockBehavior.Strict);
@@ -586,7 +393,6 @@ public async Task GetPackageReturnsLatestPackageIfNoVersionIsProvided()
                 controller.MockPackageFileService.Setup(s => s.CreateDownloadPackageActionResultAsync(HttpRequestUrl, PackageId, package.NormalizedVersion))
                               .Returns(Task.FromResult<ActionResult>(actionResult))
                               .Verifiable();
-                controller.MockUserService.Setup(x => x.FindByApiKey(guid)).Returns(new User());
 
                 NameValueCollection headers = new NameValueCollection();
                 headers.Add("NuGet-Operation", "Install");
@@ -616,14 +422,11 @@ public async Task GetPackageReturnsLatestPackageIfNoVersionIsProvided()
             public async Task GetPackageReturns503IfNoVersionIsProvidedAndDatabaseUnavailable()
             {
                 // Arrange
-                var guid = Guid.NewGuid();
                 var package = new Package();
                 var actionResult = new EmptyResult();
                 var controller = new TestableApiController(MockBehavior.Strict);
                 controller.MockPackageService.Setup(x => x.FindPackageByIdAndVersion("Baz", "", false)).Throws(new DataException("Oh noes, database broked!"));
 
-                controller.MockUserService.Setup(x => x.FindByApiKey(guid)).Returns(new User());
-
                 NameValueCollection headers = new NameValueCollection();
                 headers.Add("NuGet-Operation", "Install");
 
@@ -647,44 +450,20 @@ public async Task GetPackageReturns503IfNoVersionIsProvidedAndDatabaseUnavailabl
                 controller.MockPackageService.Verify();
                 controller.MockUserService.Verify();
             }
-
-            [Fact]
-            public void WillThrowIfTheApiKeyDoesNotExist()
-            {
-                // Arrange
-                var controller = new TestableApiController();
-                var apiKey = Guid.NewGuid();
-                controller.MockUserService.Setup(x => x.FindByApiKey(apiKey)).ReturnsNull();
-                controller.MockPackageService
-                    .Setup(p => p.FindPackageByIdAndVersion("theId", "1.0.42", true))
-                    .Returns(new Package());
-
-                // Act
-                var result = controller.PublishPackage(apiKey.ToString(), "theId", "1.0.42");
-
-                // Assert
-                ResultAssert.IsStatusCode(
-                    result,
-                    HttpStatusCode.Forbidden,
-                    String.Format(Strings.ApiKeyNotAuthorized, "publish"));
-                controller.MockPackageService.Verify(x => x.MarkPackageListed(It.IsAny<Package>(), It.IsAny<bool>()), Times.Never());
-            }
         }
 
         public class ThePublishPackageAction
         {
-
             [Fact]
             public void WillThrowIfAPackageWithTheIdAndSemanticVersionDoesNotExist()
             {
                 // Arrange
                 var controller = new TestableApiController();
-                var apiKey = Guid.NewGuid();
                 controller.MockPackageService.Setup(x => x.FindPackageByIdAndVersion("theId", "1.0.42", true)).Returns((Package)null);
-                controller.MockUserService.Setup(x => x.FindByApiKey(apiKey)).Returns(new User());
+                controller.SetCurrentUser(new User());
                 
                 // Act
-                var result = controller.PublishPackage(apiKey.ToString(), "theId", "1.0.42");
+                var result = controller.PublishPackage("theId", "1.0.42");
 
                 // Assert
                 ResultAssert.IsStatusCode(
@@ -703,14 +482,13 @@ public void WillNotListThePackageIfApiKeyDoesNotBelongToAnOwner()
                     {
                         PackageRegistration = new PackageRegistration { Owners = new[] { new User() } }
                     };
-                var apiKey = Guid.NewGuid();
-
+                
                 var controller = new TestableApiController();
                 controller.MockPackageService.Setup(x => x.FindPackageByIdAndVersion("theId", "1.0.42", true)).Returns(package);
-                controller.MockUserService.Setup(x => x.FindByApiKey(apiKey)).Returns(owner);
-
+                controller.SetCurrentUser(owner);
+                
                 // Act
-                var result = controller.PublishPackage(apiKey.ToString(), "theId", "1.0.42");
+                var result = controller.PublishPackage("theId", "1.0.42");
 
                 // Assert
                 ResultAssert.IsStatusCode(
@@ -722,11 +500,10 @@ public void WillNotListThePackageIfApiKeyDoesNotBelongToAnOwner()
             }
 
             [Fact]
-            public void WillListThePackageIfApiKeyBelongsToAnOwnerUsingFindByApiKey()
+            public void WillListThePackageIfUserIsAnOwner()
             {
                 // Arrange
-                var apiKey = Guid.NewGuid();
-                var owner = new User { Key = 1, ApiKey = apiKey };
+                var owner = new User { Key = 1 };
                 var package = new Package
                 {
                     PackageRegistration = new PackageRegistration { Owners = new[] { new User(), owner } }
@@ -734,142 +511,29 @@ public void WillListThePackageIfApiKeyBelongsToAnOwnerUsingFindByApiKey()
 
                 var controller = new TestableApiController();
                 controller.MockPackageService.Setup(x => x.FindPackageByIdAndVersion(It.IsAny<string>(), It.IsAny<string>(), true)).Returns(package);
-                controller.MockUserService.Setup(x => x.FindByApiKey(apiKey)).Returns(owner);
-
-                // Act
-                var result = controller.PublishPackage(apiKey.ToString(), "theId", "1.0.42");
-
-                // Assert
-                ResultAssert.IsEmpty(result);
-                controller.MockPackageService.Verify(x => x.MarkPackageListed(package, It.IsAny<bool>()));
-                controller.MockIndexingService.Verify(i => i.UpdatePackage(package));
-            }
-
-            [Fact]
-            public void WillListThePackageIfApiKeyBelongsToAnOwnerUsingAuthorizeCredential()
-            {
-                // Arrange
-
-                var apiKey = Guid.NewGuid();
-                var owner = new Credential { User = new User { Key = 1 } };
-                var package = new Package
-                {
-                    PackageRegistration = new PackageRegistration { Owners = new[] { new User(), owner.User } }
-                };
-
-                var controller = new TestableApiController();
-                controller.MockPackageService.Setup(x => x.FindPackageByIdAndVersion(It.IsAny<string>(), It.IsAny<string>(), true)).Returns(package);
-                controller.MockUserService
-                    .Setup(x => x.AuthenticateCredential(
-                        CredentialTypes.ApiKeyV1,
-                        apiKey.ToString().ToLowerInvariant()))
-                    .Returns(owner);
-
+                controller.SetCurrentUser(owner);
+                
                 // Act
-                var result = controller.PublishPackage(apiKey.ToString(), "theId", "1.0.42");
+                var result = controller.PublishPackage("theId", "1.0.42");
 
                 // Assert
                 ResultAssert.IsEmpty(result);
                 controller.MockPackageService.Verify(x => x.MarkPackageListed(package, It.IsAny<bool>()));
                 controller.MockIndexingService.Verify(i => i.UpdatePackage(package));
             }
-
-            [Fact]
-            public void WillFailIfUserFromAuthenticateCredentialIsNotOwner()
-            {
-                // Arrange
-                var apiKey = Guid.NewGuid();
-                var nonOwner = new Credential { User = new User { Key = 1 } };
-                var owner = new User();
-                var package = new Package
-                {
-                    PackageRegistration = new PackageRegistration { Owners = new[] { new User(), owner } }
-                };
-
-                var controller = new TestableApiController();
-                controller.MockPackageService.Setup(x => x.FindPackageByIdAndVersion(It.IsAny<string>(), It.IsAny<string>(), true)).Returns(package);
-                controller.MockUserService.Setup(x => x.FindByApiKey(apiKey)).Returns(owner);
-                controller.MockUserService
-                    .Setup(x => x.AuthenticateCredential(
-                        CredentialTypes.ApiKeyV1,
-                        apiKey.ToString().ToLowerInvariant()))
-                    .Returns(nonOwner);
-
-                // Act
-                var result = controller.PublishPackage(apiKey.ToString(), "theId", "1.0.42");
-
-                // Assert
-                ResultAssert.IsStatusCode(
-                    result,
-                    HttpStatusCode.Forbidden,
-                    String.Format(Strings.ApiKeyNotAuthorized, "publish"));
-
-                controller.MockPackageService.Verify(x => x.MarkPackageListed(package, It.IsAny<bool>()), Times.Never());
-            }
         }
 
         public class TheVerifyPackageKeyAction : TestContainer
         {
             [Fact]
-            public void VerifyPackageKeyReturns403IfUserDoesNotExistByFindByApiKeyOrAuthorizeCredential()
-            {
-                // Arrange
-                var guid = Guid.NewGuid();
-                var controller = new TestableApiController();
-                controller.MockUserService.Setup(s => s.FindByApiKey(guid)).Returns<User>(null);
-                controller.MockUserService
-                    .Setup(s => s.AuthenticateCredential(
-                        CredentialTypes.ApiKeyV1,
-                        guid.ToString().ToLowerInvariant()))
-                    .ReturnsNull();
-                controller.MockPackageService
-                    .Setup(p => p.FindPackageByIdAndVersion("foo", "1.0.0", true))
-                    .Returns(new Package());
-
-                // Act
-                var result = controller.VerifyPackageKey(guid.ToString(), "foo", "1.0.0");
-
-                // Assert
-                ResultAssert.IsStatusCode(
-                    result,
-                    HttpStatusCode.Forbidden, 
-                    "The specified API key does not provide the authority to push packages.");
-            }
-
-            [Fact]
-            public void VerifyPackageKeyReturnsEmptyResultIfApiKeyExistsInUserRecordAndIdAndVersionAreEmpty()
-            {
-                // Arrange
-                var guid = Guid.NewGuid();
-                var controller = new TestableApiController();
-                controller.MockUserService.Setup(s => s.FindByApiKey(guid)).Returns(new User());
-                controller.MockUserService
-                    .Setup(s => s.AuthenticateCredential(
-                        CredentialTypes.ApiKeyV1,
-                        guid.ToString().ToLowerInvariant()))
-                    .ReturnsNull();
-
-                // Act
-                var result = controller.VerifyPackageKey(guid.ToString(), null, null);
-
-                // Assert
-                ResultAssert.IsEmpty(result);
-            }
-
-            [Fact]
-            public void VerifyPackageKeyReturnsEmptyResultIfApiKeyExistsInCredentialsAndIdAndVersionAreEmpty()
+            public void VerifyPackageKeyReturnsEmptyResultIfApiKeyExistsButIdAndVersionAreEmpty()
             {
                 // Arrange
-                var guid = Guid.NewGuid();
                 var controller = new TestableApiController();
-                controller.MockUserService
-                    .Setup(s => s.AuthenticateCredential(
-                        CredentialTypes.ApiKeyV1,
-                        guid.ToString().ToLowerInvariant()))
-                    .Returns(new Credential() { User = new User() });
-
+                controller.SetCurrentUser(new User());
+                
                 // Act
-                var result = controller.VerifyPackageKey(guid.ToString(), null, null);
+                var result = controller.VerifyPackageKey(null, null);
 
                 // Assert
                 ResultAssert.IsEmpty(result);
@@ -879,18 +543,15 @@ public void VerifyPackageKeyReturnsEmptyResultIfApiKeyExistsInCredentialsAndIdAn
             public void VerifyPackageKeyReturns404IfPackageDoesNotExist()
             {
                 // Arrange
-                var guid = Guid.NewGuid();
-                var controller = GetController<ApiController>();
                 var user = new User { EmailAddress = "confirmed@email.com" };
-                GetMock<IUserService>()
-                    .Setup(s => s.FindByApiKey(guid))
-                    .Returns(user);
                 GetMock<IPackageService>()
                     .Setup(s => s.FindPackageByIdAndVersion("foo", "1.0.0", true))
                     .ReturnsNull();
-
+                var controller = GetController<ApiController>();
+                controller.SetCurrentUser(user);
+                
                 // Act
-                var result = controller.VerifyPackageKey(guid.ToString(), "foo", "1.0.0");
+                var result = controller.VerifyPackageKey("foo", "1.0.0");
                 
                 // Assert
                 ResultAssert.IsStatusCode(
@@ -900,75 +561,40 @@ public void VerifyPackageKeyReturns404IfPackageDoesNotExist()
             }
 
             [Fact]
-            public void VerifyPackageKeyReturns403IfUserInCredentialsTableIsNotAnOwner()
+            public void VerifyPackageKeyReturns403IfUserIsNotAnOwner()
             {
                 // Arrange
-                var guid = Guid.NewGuid();
                 var controller = new TestableApiController();
                 var owner = new User();
                 var nonOwner = new User();
-                controller.MockUserService.Setup(s => s.FindByApiKey(guid)).Returns(owner);
-                controller.MockUserService
-                    .Setup(s => s.AuthenticateCredential(
-                        CredentialTypes.ApiKeyV1,
-                        guid.ToString().ToLowerInvariant()))
-                    .Returns(new Credential() { User = nonOwner });
+                controller.SetCurrentUser(nonOwner);
                 controller.MockPackageService.Setup(s => s.FindPackageByIdAndVersion("foo", "1.0.0", true)).Returns(
                     new Package { PackageRegistration = new PackageRegistration() });
 
                 // Act
-                var result = controller.VerifyPackageKey(guid.ToString(), "foo", "1.0.0");
+                var result = controller.VerifyPackageKey("foo", "1.0.0");
 
                 // Assert
                 ResultAssert.IsStatusCode(
                     result,
                     HttpStatusCode.Forbidden, 
-                    "The specified API key does not provide the authority to push packages.");
+                    Strings.ApiKeyNotAuthorized);
             }
 
             [Fact]
-            public void VerifyPackageKeyReturns200IfUserHasNoCredentialRecordButIsAnOwner()
+            public void VerifyPackageKeyReturns200IfUserIsAnOwner()
             {
                 // Arrange
-                var guid = Guid.NewGuid();
-                var user = new User { EmailAddress = "confirmed@email.com" };
-                var package = new Package { PackageRegistration = new PackageRegistration() };
-                package.PackageRegistration.Owners.Add(user);
-                var controller = new TestableApiController();
-                controller.MockUserService
-                    .Setup(s => s.AuthenticateCredential(
-                        CredentialTypes.ApiKeyV1,
-                        guid.ToString().ToLowerInvariant()))
-                    .ReturnsNull();
-                controller.MockUserService.Setup(s => s.FindByApiKey(guid)).Returns(user);
-                controller.MockPackageService.Setup(s => s.FindPackageByIdAndVersion("foo", "1.0.0", true)).Returns(package);
-
-                // Act
-                var result = controller.VerifyPackageKey(guid.ToString(), "foo", "1.0.0");
-
-                // Assert
-                ResultAssert.IsEmpty(result);
-            }
-
-            [Fact]
-            public void VerifyPackageKeyReturns200IfUserHasCredentialRecordAndIsAnOwner()
-            {
-                // Arrange
-                var guid = Guid.NewGuid();
+                var apiKey = Guid.NewGuid();
                 var user = new User();
                 var package = new Package { PackageRegistration = new PackageRegistration() };
                 package.PackageRegistration.Owners.Add(user);
                 var controller = new TestableApiController();
-                controller.MockUserService
-                    .Setup(s => s.AuthenticateCredential(
-                        CredentialTypes.ApiKeyV1,
-                        guid.ToString().ToLowerInvariant()))
-                    .Returns(new Credential() { User = user });
-                controller.MockUserService.Setup(s => s.FindByApiKey(guid)).ReturnsNull();
+                controller.SetCurrentUser(user);
                 controller.MockPackageService.Setup(s => s.FindPackageByIdAndVersion("foo", "1.0.0", true)).Returns(package);
 
                 // Act
-                var result = controller.VerifyPackageKey(guid.ToString(), "foo", "1.0.0");
+                var result = controller.VerifyPackageKey("foo", "1.0.0");
 
                 // Assert
                 ResultAssert.IsEmpty(result);
diff --git a/tests/NuGetGallery.Facts/Controllers/AppControllerFacts.cs b/tests/NuGetGallery.Facts/Controllers/AppControllerFacts.cs
new file mode 100644
index 0000000000..5ebdebea9c
--- /dev/null
+++ b/tests/NuGetGallery.Facts/Controllers/AppControllerFacts.cs
@@ -0,0 +1,42 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+using Microsoft.Owin;
+using Moq;
+using NuGetGallery.Framework;
+using Xunit;
+
+namespace NuGetGallery.Controllers
+{
+    public class AppControllerFacts
+    {
+        public class TheGetCurrentUserMethod
+        {
+            [Fact]
+            public void GivenNoActiveUserPrincipal_ItReturnsNull()
+            {
+                // Arrange
+                var ctrl = new TestableAppController();
+                ctrl.OwinContext = Fakes.CreateOwinContext();
+
+                // Act
+                var user = ctrl.InvokeGetCurrentUser();
+
+                // Assert
+                Assert.Null(user);
+            }
+        }
+
+        public class TestableAppController : AppController
+        {
+            // Nothing but a concrete class to test an abstract class :)
+
+            public User InvokeGetCurrentUser()
+            {
+                return GetCurrentUser();
+            }
+        }
+    }
+}
diff --git a/tests/NuGetGallery.Facts/Controllers/AuthenticationControllerFacts.cs b/tests/NuGetGallery.Facts/Controllers/AuthenticationControllerFacts.cs
index 81d0aef27f..9b28c83b57 100644
--- a/tests/NuGetGallery.Facts/Controllers/AuthenticationControllerFacts.cs
+++ b/tests/NuGetGallery.Facts/Controllers/AuthenticationControllerFacts.cs
@@ -5,6 +5,8 @@
 using Xunit;
 using System.Net.Mail;
 using NuGetGallery.Framework;
+using NuGetGallery.Authentication;
+using Microsoft.Owin;
 
 namespace NuGetGallery.Controllers
 {
@@ -16,10 +18,12 @@ public class TheLogOffAction : TestContainer
             public void WillLogTheUserOff()
             {
                 var controller = GetController<AuthenticationController>();
-
+                
                 controller.LogOff("theReturnUrl");
 
-                GetMock<IFormsAuthenticationService>().Verify(x => x.SignOut());
+                var revoke = controller.OwinContext.Authentication.AuthenticationResponseRevoke;
+                Assert.NotNull(revoke);
+                Assert.Empty(revoke.AuthenticationTypes);
             }
 
             [Fact]
@@ -51,93 +55,83 @@ public void WillShowTheViewWithErrorsIfTheModelStateIsInvalid()
             [Fact]
             public void CanLogTheUserOnWithUserName()
             {
+                // Arrange
+                var authUser = new AuthenticatedUser(
+                    new User("theUsername") { EmailAddress = "confirmed@example.com" },
+                    new Credential() { Type = "Foo" });
+                GetMock<AuthenticationService>()
+                    .Setup(x => x.Authenticate(authUser.User.Username, "thePassword"))
+                    .Returns(authUser);
                 var controller = GetController<AuthenticationController>();
-                var user = new User("theUsername") { EmailAddress = "confirmed@example.com" };
-                GetMock<IUserService>()
-                    .Setup(x => x.FindByUsernameOrEmailAddressAndPassword("theUsername", "thePassword"))
-                    .Returns(user);
-
+                GetMock<AuthenticationService>()
+                    .Setup(a => a.CreateSession(controller.OwinContext, authUser.User, AuthenticationTypes.Password))
+                    .Verifiable();
+                
+                // Act
                 controller.SignIn(
-                    new SignInRequest { UserNameOrEmail = "theUsername", Password = "thePassword" },
+                    new SignInRequest { UserNameOrEmail = authUser.User.Username, Password = "thePassword" },
                     "theReturnUrl");
 
-                GetMock<IFormsAuthenticationService>().Verify(
-                    x => x.SetAuthCookie(
-                        "theUsername",
-                        true,
-                        null));
+                // Assert
+                GetMock<AuthenticationService>().VerifyAll();
             }
 
             [Fact]
             public void CanLogTheUserOnWithEmailAddress()
             {
+                // Arrange
+                var authUser = new AuthenticatedUser(
+                    new User("theUsername") { EmailAddress = "confirmed@example.com" },
+                    new Credential() { Type = "Foo" });
+                GetMock<AuthenticationService>()
+                    .Setup(x => x.Authenticate("confirmed@example.com", "thePassword"))
+                    .Returns(authUser);
                 var controller = GetController<AuthenticationController>();
-                var user = new User("theUsername") { EmailAddress = "confirmed@example.com" };
-                GetMock<IUserService>()
-                    .Setup(x => x.FindByUsernameOrEmailAddressAndPassword("confirmed@example.com", "thePassword"))
-                    .Returns(user);
-
+                GetMock<AuthenticationService>()
+                    .Setup(a => a.CreateSession(controller.OwinContext, authUser.User, AuthenticationTypes.Password))
+                    .Verifiable();
+                
+                // Act
                 controller.SignIn(
                     new SignInRequest { UserNameOrEmail = "confirmed@example.com", Password = "thePassword" },
                     "theReturnUrl");
 
-                GetMock<IFormsAuthenticationService>().Verify(
-                    x => x.SetAuthCookie(
-                        "theUsername",
-                        true,
-                        null));
+                // Assert
+                GetMock<AuthenticationService>().VerifyAll();
             }
 
             [Fact]
             public void WillLogTheUserOnWithUsernameEvenWithoutConfirmedEmailAddress()
             {
+                // Arrange
+                var authUser = new AuthenticatedUser(
+                    new User("theUsername") { UnconfirmedEmailAddress = "unconfirmed@example.com" },
+                    new Credential() { Type = "Foo" });
+                GetMock<AuthenticationService>()
+                    .Setup(x => x.Authenticate("confirmed@example.com", "thePassword"))
+                    .Returns(authUser);
                 var controller = GetController<AuthenticationController>();
-                var user = new User { Key = 42, Username = "theUsername", UnconfirmedEmailAddress = "anAddress@email.org" };
-                GetMock<IUserService>()
-                    .Setup(x => x.FindByUsernameOrEmailAddressAndPassword("theUsername", "thePassword"))
-                    .Returns(user);
-
-                controller.SignIn(
-                    new SignInRequest { UserNameOrEmail = "theUsername", Password = "thePassword" },
-                    "theReturnUrl");
-
-                GetMock<IFormsAuthenticationService>()
-                    .Verify(
-                        x => x.SetAuthCookie(It.IsAny<string>(), It.IsAny<bool>(), It.IsAny<IEnumerable<string>>()));
-            }
-
-            [Fact]
-            public void WillLogTheUserOnWithRoles()
-            {
-                var controller = GetController<AuthenticationController>();
-                var user = new User("theUsername")
-                {
-                    Roles = new[] { new Role { Name = "Administrators" } },
-                    EmailAddress = "confirmed@example.com"
-                };
-                GetMock<IUserService>()
-                    .Setup(x => x.FindByUsernameOrEmailAddressAndPassword("theUsername", "thePassword"))
-                    .Returns(user);
-
+                GetMock<AuthenticationService>()
+                    .Setup(a => a.CreateSession(controller.OwinContext, authUser.User, AuthenticationTypes.Password))
+                    .Verifiable();
+                
+                // Act
                 controller.SignIn(
-                    new SignInRequest { UserNameOrEmail = "theUsername", Password = "thePassword" },
+                    new SignInRequest { UserNameOrEmail = "confirmed@example.com", Password = "thePassword" },
                     "theReturnUrl");
 
-                GetMock<IFormsAuthenticationService>().Verify(
-                    x => x.SetAuthCookie(
-                        "theUsername",
-                        true,
-                        new[] { "Administrators" }));
+                // Assert
+                GetMock<AuthenticationService>().VerifyAll();
             }
 
             [Fact]
             public void WillInvalidateModelStateAndShowTheViewWithErrorsWhenTheUsernameAndPasswordAreNotValid()
             {
-                var controller = GetController<AuthenticationController>();
-                GetMock<IUserService>()
-                    .Setup(x => x.FindByUsernameOrEmailAddressAndPassword(It.IsAny<string>(), It.IsAny<string>()))
+                GetMock<AuthenticationService>()
+                    .Setup(x => x.Authenticate(It.IsAny<string>(), It.IsAny<string>()))
                     .ReturnsNull();
-
+                var controller = GetController<AuthenticationController>();
+                
                 var result = controller.SignIn(new SignInRequest(), "theReturnUrl") as ViewResult;
 
                 Assert.NotNull(result);
@@ -147,17 +141,44 @@ public void WillInvalidateModelStateAndShowTheViewWithErrorsWhenTheUsernameAndPa
             }
             
             [Fact]
-            public void WillRedirectToTheReturnUrl()
+            public void WillRedirectToHomeIfReturnUrlNotLocal()
             {
+                var authUser = new AuthenticatedUser(
+                    new User("theUsername") { UnconfirmedEmailAddress = "unconfirmed@example.com" },
+                    new Credential() { Type = "Foo" });
+                GetMock<AuthenticationService>()
+                    .Setup(x => x.Authenticate("confirmed@example.com", "thePassword"))
+                    .Returns(authUser);
+                GetMock<AuthenticationService>()
+                    .Setup(x => x.CreateSession(It.IsAny<IOwinContext>(), authUser.User, AuthenticationTypes.Password));
                 var controller = GetController<AuthenticationController>();
-                GetMock<IUserService>()
-                    .Setup(x => x.FindByUsernameOrEmailAddressAndPassword(It.IsAny<string>(), It.IsAny<string>()))
-                    .Returns(new User("theUsername") { EmailAddress = "confirmed@example.com" });
-
-                var result = controller.SignIn(new SignInRequest(), "theReturnUrl");
+                
+                var result = controller.SignIn(
+                    new SignInRequest { UserNameOrEmail = "confirmed@example.com", Password = "thePassword" }, 
+                    "http://www.microsoft.com");
 
                 ResultAssert.IsRedirectTo(result, "/");
             }
+            
+            [Fact]
+            public void WillRedirectToTheReturnUrlIfLocal()
+            {
+                var authUser = new AuthenticatedUser(
+                    new User("theUsername") { UnconfirmedEmailAddress = "unconfirmed@example.com" },
+                    new Credential() { Type = "Foo" });
+                GetMock<AuthenticationService>()
+                    .Setup(x => x.Authenticate("confirmed@example.com", "thePassword"))
+                    .Returns(authUser);
+                GetMock<AuthenticationService>()
+                    .Setup(x => x.CreateSession(It.IsAny<IOwinContext>(), authUser.User, AuthenticationTypes.Password));
+                var controller = GetController<AuthenticationController>();
+                
+                var result = controller.SignIn(
+                    new SignInRequest { UserNameOrEmail = "confirmed@example.com", Password = "thePassword" }, 
+                    "/packages/upload");
+
+                ResultAssert.IsRedirectTo(result, "/packages/upload");
+            }
         }
 
         public class TheRegisterAction : TestContainer
@@ -177,14 +198,17 @@ public void WillShowTheViewWithErrorsIfTheModelStateIsInvalid()
             }
 
             [Fact]
-            public void WillCreateTheUser()
+            public void WillCreateAndLogInTheUser()
             {
+                var authUser = new AuthenticatedUser(new User("theUsername"), new Credential());
+                GetMock<AuthenticationService>()
+                    .Setup(x => x.Register("theUsername", "thePassword", "theEmailAddress"))
+                    .Returns(authUser);
+                GetMock<AuthenticationService>()
+                    .Setup(x => x.CreateSession(It.IsAny<IOwinContext>(), authUser.User, AuthenticationTypes.Password))
+                    .Verifiable();
                 var controller = GetController<AuthenticationController>();
-                var user = new User("theUsername");
-                GetMock<IUserService>()
-                    .Setup(x => x.Create(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>()))
-                    .Returns(user);
-
+                
                 controller.Register(
                     new RegisterRequest
                     {
@@ -193,18 +217,17 @@ public void WillCreateTheUser()
                         EmailAddress = "theEmailAddress",
                     }, null);
 
-                GetMock<IUserService>()
-                    .Verify(x => x.Create("theUsername", "thePassword", "theEmailAddress"));
+                GetMock<AuthenticationService>().VerifyAll();
             }
 
             [Fact]
             public void WillInvalidateModelStateAndShowTheViewWhenAnEntityExceptionIsThrow()
             {
-                var controller = GetController<AuthenticationController>();
-                GetMock<IUserService>()
-                    .Setup(x => x.Create(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>()))
+                GetMock<AuthenticationService>()
+                    .Setup(x => x.Register(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>()))
                     .Throws(new EntityException("aMessage"));
-
+                var controller = GetController<AuthenticationController>();
+                
                 var request = new RegisterRequest
                 {
                     Username = "theUsername",
@@ -221,12 +244,14 @@ public void WillInvalidateModelStateAndShowTheViewWhenAnEntityExceptionIsThrow()
             [Fact]
             public void WillRedirectToTheReturnUrl()
             {
-                var controller = GetController<AuthenticationController>();
                 var user = new User("theUsername") { UnconfirmedEmailAddress = "unconfirmed@example.com" };
-                GetMock<IUserService>()
-                    .Setup(x => x.Create(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>()))
-                    .Returns(user);
-
+                GetMock<AuthenticationService>()
+                    .Setup(x => x.Register("theUsername", "thepassword", "unconfirmed@example.com"))
+                    .Returns(new AuthenticatedUser(user, new Credential()));
+                GetMock<AuthenticationService>()
+                    .Setup(x => x.CreateSession(It.IsAny<IOwinContext>(), user, AuthenticationTypes.Password));
+                var controller = GetController<AuthenticationController>();
+                
                 var result = controller.Register(new RegisterRequest
                     {
                         EmailAddress = "unconfirmed@example.com",
diff --git a/tests/NuGetGallery.Facts/Controllers/CuratedFeedsControllerFacts.cs b/tests/NuGetGallery.Facts/Controllers/CuratedFeedsControllerFacts.cs
index d4dd228051..add06b9758 100644
--- a/tests/NuGetGallery.Facts/Controllers/CuratedFeedsControllerFacts.cs
+++ b/tests/NuGetGallery.Facts/Controllers/CuratedFeedsControllerFacts.cs
@@ -1,10 +1,13 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Security.Claims;
 using System.Security.Principal;
 using System.Web;
 using System.Web.Mvc;
 using Moq;
+using NuGetGallery.Authentication;
+using NuGetGallery.Framework;
 using Xunit;
 
 namespace NuGetGallery
@@ -16,12 +19,11 @@ public class TestableCuratedFeedsController : CuratedFeedsController
             public TestableCuratedFeedsController()
             {
                 StubCuratedFeed = new CuratedFeed
-                    { Key = 0, Name = "aName", Managers = new HashSet<User>(new[] { new User { Username = "aUsername" } }) };
+                    { Key = 0, Name = "aName", Managers = new HashSet<User>(new[] { Fakes.User }) };
                 StubCuratedFeedService = new Mock<ICuratedFeedService>();
-                StubIdentity = new Mock<IIdentity>();
 
-                StubIdentity.Setup(stub => stub.IsAuthenticated).Returns(true);
-                StubIdentity.Setup(stub => stub.Name).Returns("aUsername");
+                OwinContext = Fakes.CreateOwinContext();
+
                 StubCuratedFeedService
                     .Setup(stub => stub.GetFeedByName(It.IsAny<string>(), It.IsAny<bool>()))
                     .Returns(StubCuratedFeed);
@@ -30,18 +32,18 @@ public TestableCuratedFeedsController()
 
                 StubSearchService = new Mock<ISearchService>();
                 SearchService = StubSearchService.Object;
+
+                var httpContext = new Mock<HttpContextBase>();
+                TestUtility.SetupHttpContextMockForUrlGeneration(httpContext, this);
+
+                this.SetCurrentUser(Fakes.User);
+
             }
 
             public CuratedFeed StubCuratedFeed { get; set; }
             public Mock<ICuratedFeedService> StubCuratedFeedService { get; private set; }
             public Mock<ISearchService> StubSearchService { get; private set; }
-            public Mock<IIdentity> StubIdentity { get; private set; }
-
-            public override IIdentity Identity
-            {
-                get { return StubIdentity.Object; }
-            }
-
+            
             protected internal override T GetService<T>()
             {
                 if (typeof(T) == typeof(ICuratedFeedService))
@@ -61,7 +63,7 @@ public void WillReturn404IfTheCuratedFeedDoesNotExist()
                 var controller = new TestableCuratedFeedsController();
                 controller.StubCuratedFeedService.Setup(stub => stub.GetFeedByName(It.IsAny<string>(), It.IsAny<bool>())).Returns((CuratedFeed)null);
 
-                var result = controller.CuratedFeed("aFeedName");
+                var result = controller.CuratedFeed("aName");
 
                 Assert.IsType<HttpNotFoundResult>(result);
             }
@@ -70,9 +72,9 @@ public void WillReturn404IfTheCuratedFeedDoesNotExist()
             public void WillReturn403IfTheCurrentUsersIsNotAManagerOfTheCuratedFeed()
             {
                 var controller = new TestableCuratedFeedsController();
-                controller.StubIdentity.Setup(stub => stub.Name).Returns("notAManager");
+                controller.SetCurrentUser(Fakes.Owner);
 
-                var result = controller.CuratedFeed("aFeedName") as HttpStatusCodeResult;
+                var result = controller.CuratedFeed("aName") as HttpStatusCodeResult;
 
                 Assert.NotNull(result);
                 Assert.Equal(403, result.StatusCode);
@@ -82,26 +84,22 @@ public void WillReturn403IfTheCurrentUsersIsNotAManagerOfTheCuratedFeed()
             public void WillPassTheCuratedFeedNameToTheView()
             {
                 var controller = new TestableCuratedFeedsController();
-                controller.StubCuratedFeed.Name = "theCuratedFeedName";
-
-                var viewModel = (controller.CuratedFeed("aFeedName") as ViewResult).Model as CuratedFeedViewModel;
+                
+                var viewModel = (controller.CuratedFeed("aName") as ViewResult).Model as CuratedFeedViewModel;
 
                 Assert.NotNull(viewModel);
-                Assert.Equal("theCuratedFeedName", viewModel.Name);
+                Assert.Equal("aName", viewModel.Name);
             }
 
             [Fact]
             public void WillPassTheCuratedFeedManagersToTheView()
             {
                 var controller = new TestableCuratedFeedsController();
-                controller.StubIdentity.Setup(stub => stub.Name).Returns("theManager");
-                controller.StubCuratedFeed.Name = "aFeedName";
-                controller.StubCuratedFeed.Managers = new HashSet<User>(new[] { new User { Username = "theManager" } });
-
-                var viewModel = (controller.CuratedFeed("aFeedName") as ViewResult).Model as CuratedFeedViewModel;
+                
+                var viewModel = (controller.CuratedFeed("aName") as ViewResult).Model as CuratedFeedViewModel;
 
                 Assert.NotNull(viewModel);
-                Assert.Equal("theManager", viewModel.Managers.First());
+                Assert.Equal(Fakes.User.Username, viewModel.Managers.First());
             }
 
             [Fact]
@@ -131,7 +129,7 @@ public void WillPassTheIncludedPackagesToTheView()
                                 }
                         });
 
-                var viewModel = (controller.CuratedFeed("aFeedName") as ViewResult).Model as CuratedFeedViewModel;
+                var viewModel = (controller.CuratedFeed("aName") as ViewResult).Model as CuratedFeedViewModel;
 
                 Assert.NotNull(viewModel);
                 Assert.Equal(2, viewModel.IncludedPackages.Count());
@@ -166,7 +164,7 @@ public void WillPassTheExcludedPackagesToTheView()
                                 }
                         });
 
-                var viewModel = (controller.CuratedFeed("aFeedName") as ViewResult).Model as CuratedFeedViewModel;
+                var viewModel = (controller.CuratedFeed("aName") as ViewResult).Model as CuratedFeedViewModel;
 
                 Assert.NotNull(viewModel);
                 Assert.Equal(1, viewModel.ExcludedPackages.Count());
diff --git a/tests/NuGetGallery.Facts/Controllers/CuratedPackagesControllerFacts.cs b/tests/NuGetGallery.Facts/Controllers/CuratedPackagesControllerFacts.cs
index 41eeab2c7f..5b30a0ca21 100644
--- a/tests/NuGetGallery.Facts/Controllers/CuratedPackagesControllerFacts.cs
+++ b/tests/NuGetGallery.Facts/Controllers/CuratedPackagesControllerFacts.cs
@@ -3,8 +3,10 @@
 using System.Linq;
 using System.Linq.Expressions;
 using System.Security.Principal;
+using System.Web;
 using System.Web.Mvc;
 using Moq;
+using NuGetGallery.Framework;
 using Xunit;
 
 namespace NuGetGallery
@@ -16,12 +18,10 @@ public class TestableCuratedPackagesController : CuratedPackagesController
             public TestableCuratedPackagesController()
             {
                 StubCuratedFeed = new CuratedFeed
-                    { Key = 0, Name = "aFeedName", Managers = new HashSet<User>(new[] { new User { Username = "aUsername" } }) };
-                StubIdentity = new Mock<IIdentity>();
+                    { Key = 0, Name = "aFeedName", Managers = new HashSet<User>(new[] { Fakes.User }) };
                 StubPackageRegistration = new PackageRegistration { Key = 0, Id = "anId" };
 
-                StubIdentity.Setup(stub => stub.IsAuthenticated).Returns(true);
-                StubIdentity.Setup(stub => stub.Name).Returns("aUsername");
+                OwinContext = Fakes.CreateOwinContext();
 
                 EntitiesContext = new FakeEntitiesContext();
                 EntitiesContext.CuratedFeeds.Add(StubCuratedFeed);
@@ -36,16 +36,13 @@ public TestableCuratedPackagesController()
                 base.CuratedFeedService = new CuratedFeedService(
                     curatedFeedRepository,
                     curatedPackageRepository);
+
+                var httpContext = new Mock<HttpContextBase>();
+                TestUtility.SetupHttpContextMockForUrlGeneration(httpContext, this);
             }
 
             public CuratedFeed StubCuratedFeed { get; set; }
-            public Mock<IIdentity> StubIdentity { get; private set; }
             public PackageRegistration StubPackageRegistration { get; private set; }
-
-            public override IIdentity Identity
-            {
-                get { return StubIdentity.Object; }
-            }
         }
 
         public class TheDeleteCuratedPackageAction
@@ -54,6 +51,7 @@ public class TheDeleteCuratedPackageAction
             public void WillReturn404IfTheCuratedFeedDoesNotExist()
             {
                 var controller = new TestableCuratedPackagesController();
+                controller.SetCurrentUser(Fakes.User);
                 
                 var result = controller.DeleteCuratedPackage("aStrangeCuratedFeedName", "anId");
 
@@ -64,6 +62,7 @@ public void WillReturn404IfTheCuratedFeedDoesNotExist()
             public void WillReturn404IfTheCuratedPackageDoesNotExist()
             {
                 var controller = new TestableCuratedPackagesController();
+                controller.SetCurrentUser(Fakes.User);
                 controller.StubCuratedFeed.Packages = new[] { new CuratedPackage { PackageRegistration = new PackageRegistration() } };
 
                 var result = controller.DeleteCuratedPackage("aFeedName", "aStrangeCuratedPackageId");
@@ -75,9 +74,7 @@ public void WillReturn404IfTheCuratedPackageDoesNotExist()
             public void WillReturn403IfTheUserNotAManager()
             {
                 var controller = new TestableCuratedPackagesController();
-                controller.StubIdentity
-                    .Setup(i => i.Name)
-                    .Returns("notAManager");
+                controller.SetCurrentUser(Fakes.Owner);
 
                 controller.StubCuratedFeed.Packages.Add(
                     new CuratedPackage
@@ -98,6 +95,7 @@ public void WillReturn403IfTheUserNotAManager()
             public void WillDeleteTheCuratedPackageWhenRequestIsValid()
             {
                 var controller = new TestableCuratedPackagesController();
+                controller.SetCurrentUser(Fakes.User);
 
                 controller.StubCuratedFeed.Packages.Add(
                     new CuratedPackage
@@ -121,6 +119,7 @@ public void WillDeleteTheCuratedPackageWhenRequestIsValid()
             public void WillReturn204AfterDeletingTheCuratedPackage()
             {
                 var controller = new TestableCuratedPackagesController();
+                controller.SetCurrentUser(Fakes.User);
 
                 controller.StubCuratedFeed.Packages.Add(
                     new CuratedPackage
@@ -144,6 +143,7 @@ public class TheGetCreateCuratedPackageFormAction
             public void WillReturn404IfTheCuratedFeedDoesNotExist()
             {
                 var controller = new TestableCuratedPackagesController();
+                controller.SetCurrentUser(Fakes.User);
 
                 var result = controller.GetCreateCuratedPackageForm("aWrongFeedName");
 
@@ -154,8 +154,8 @@ public void WillReturn404IfTheCuratedFeedDoesNotExist()
             public void WillReturn403IfTheCurrentUsersIsNotAManagerOfTheCuratedFeed()
             {
                 var controller = new TestableCuratedPackagesController();
-                controller.StubIdentity.Setup(stub => stub.Name).Returns("notAManager");
-
+                controller.SetCurrentUser(Fakes.Owner);
+                
                 var result = controller.GetCreateCuratedPackageForm("aFeedName") as HttpStatusCodeResult;
 
                 Assert.NotNull(result);
@@ -166,6 +166,7 @@ public void WillReturn403IfTheCurrentUsersIsNotAManagerOfTheCuratedFeed()
             public void WillPushTheCuratedFeedNameIntoTheViewBag()
             {
                 var controller = new TestableCuratedPackagesController();
+                controller.SetCurrentUser(Fakes.User);
                 controller.StubCuratedFeed.Name = "theCuratedFeedName";
 
                 var result = controller.GetCreateCuratedPackageForm("theCuratedFeedName") as ViewResult;
@@ -181,7 +182,8 @@ public class ThePatchCuratedPackageAction
             public void WillReturn404IfTheCuratedFeedDoesNotExist()
             {
                 var controller = new TestableCuratedPackagesController();
-                
+                controller.SetCurrentUser(Fakes.User);
+   
                 var result = controller.PatchCuratedPackage("aWrongFeedName", "anId", 
                     new ModifyCuratedPackageRequest());
 
@@ -192,6 +194,7 @@ public void WillReturn404IfTheCuratedFeedDoesNotExist()
             public void WillReturn404IfTheCuratedPackageDoesNotExist()
             {
                 var controller = new TestableCuratedPackagesController();
+                controller.SetCurrentUser(Fakes.User);
 
                 var result = controller.PatchCuratedPackage("aFeedName", "aWrongId", new ModifyCuratedPackageRequest());
 
@@ -202,9 +205,7 @@ public void WillReturn404IfTheCuratedPackageDoesNotExist()
             public void WillReturn403IfNotAFeedManager()
             {
                 var controller = new TestableCuratedPackagesController();
-                controller.StubIdentity
-                    .Setup(i => i.Name)
-                    .Returns("notAManager");
+                controller.SetCurrentUser(Fakes.Owner);
                 controller.StubCuratedFeed.Packages.Add(
                     new CuratedPackage
                     {
@@ -225,6 +226,7 @@ public void WillReturn403IfNotAFeedManager()
             public void WillReturn400IfTheModelStateIsInvalid()
             {
                 var controller = new TestableCuratedPackagesController();
+                controller.SetCurrentUser(Fakes.User);
                 controller.StubCuratedFeed.Packages.Add(
                     new CuratedPackage
                     {
@@ -248,6 +250,7 @@ public void WillReturn400IfTheModelStateIsInvalid()
             public void WillModifyTheCuratedPackageWhenRequestIsValid()
             {
                 var controller = new TestableCuratedPackagesController();
+                controller.SetCurrentUser(Fakes.User);
                 controller.StubCuratedFeed.Packages.Add(
                     new CuratedPackage
                     {
@@ -274,6 +277,7 @@ public void WillModifyTheCuratedPackageWhenRequestIsValid()
             public void WillReturn204AfterModifyingTheCuratedPackage()
             {
                 var controller = new TestableCuratedPackagesController();
+                controller.SetCurrentUser(Fakes.User);
                 controller.StubCuratedFeed.Packages.Add(
                     new CuratedPackage
                     {
@@ -298,6 +302,7 @@ public class ThePostCuratedPackagesAction
             public void WillReturn404IfTheCuratedFeedDoesNotExist()
             {
                 var controller = new TestableCuratedPackagesController();
+                controller.SetCurrentUser(Fakes.User);
 
                 var result = controller.PostCuratedPackages(
                     "aWrongFeedName", 
@@ -310,7 +315,7 @@ public void WillReturn404IfTheCuratedFeedDoesNotExist()
             public void WillReturn403IfTheCurrentUsersIsNotAManagerOfTheCuratedFeed()
             {
                 var controller = new TestableCuratedPackagesController();
-                controller.StubIdentity.Setup(stub => stub.Name).Returns("notAManager");
+                controller.SetCurrentUser(Fakes.Owner);
 
                 var result = controller.PostCuratedPackages(
                     "aFeedName",
@@ -325,6 +330,7 @@ public void WillReturn403IfTheCurrentUsersIsNotAManagerOfTheCuratedFeed()
             public void WillPushTheCuratedFeedNameIntoTheViewBagAndShowTheCreateCuratedPackageFormWithErrorsWhenModelStateIsInvalid()
             {
                 var controller = new TestableCuratedPackagesController();
+                controller.SetCurrentUser(Fakes.User);
                 controller.StubCuratedFeed.Name = "theCuratedFeedName";
                 controller.ModelState.AddModelError("", "anError");
 
@@ -340,6 +346,7 @@ public void WillPushTheCuratedFeedNameIntoTheViewBagAndShowTheCreateCuratedPacka
             public void WillPushTheCuratedFeedNameIntoTheViewBagAndShowTheCreateCuratedPackageFormWithErrorsWhenThePackageIdDoesNotExist()
             {
                 var controller = new TestableCuratedPackagesController();
+                controller.SetCurrentUser(Fakes.User);
 
                 var result = controller.PostCuratedPackages("aFeedName",
                     new CreateCuratedPackageRequest { PackageId = "aWrongId" }) as ViewResult;
@@ -354,6 +361,7 @@ public void WillPushTheCuratedFeedNameIntoTheViewBagAndShowTheCreateCuratedPacka
             public void WillCreateTheCuratedPackage()
             {
                 var controller = new TestableCuratedPackagesController();
+                controller.SetCurrentUser(Fakes.User);
 
                 controller.PostCuratedPackages(
                     "aFeedName",
@@ -374,6 +382,7 @@ public void WillCreateTheCuratedPackage()
             public void WillRedirectToTheCuratedFeedRouteAfterCreatingTheCuratedPackage()
             {
                 var controller = new TestableCuratedPackagesController();
+                controller.SetCurrentUser(Fakes.User);
 
                 var result = controller.PostCuratedPackages(
                     "aFeedName", new CreateCuratedPackageRequest { PackageId = "anId" }) 
@@ -387,6 +396,7 @@ public void WillRedirectToTheCuratedFeedRouteAfterCreatingTheCuratedPackage()
             public void WillShowAnErrorWhenThePackageHasAlreadyBeenCurated()
             {
                 var controller = new TestableCuratedPackagesController();
+                controller.SetCurrentUser(Fakes.User);
                 controller.StubCuratedFeed.Packages.Add(
                     new CuratedPackage { 
                         CuratedFeed = controller.StubCuratedFeed,
diff --git a/tests/NuGetGallery.Facts/Controllers/JsonApiControllerFacts.cs b/tests/NuGetGallery.Facts/Controllers/JsonApiControllerFacts.cs
index d46ef14d4d..8eee1c1b9f 100644
--- a/tests/NuGetGallery.Facts/Controllers/JsonApiControllerFacts.cs
+++ b/tests/NuGetGallery.Facts/Controllers/JsonApiControllerFacts.cs
@@ -39,7 +39,9 @@ public void DoesNotAllowNonPackageOwnerToAddPackageOwner()
             public void ReturnsFailureWhenRequestedNewOwnerDoesNotExist()
             {
                 var controller = GetController<JsonApiController>();
-                controller.SetUser(Fakes.Owner);
+                GetMock<HttpContextBase>()
+                    .Setup(c => c.User)
+                    .Returns(Fakes.Owner.ToPrincipal());
 
                 dynamic result = controller.AddPackageOwner(Fakes.Package.Id, "notARealUser");
 
@@ -51,7 +53,9 @@ public void ReturnsFailureWhenRequestedNewOwnerDoesNotExist()
             public void CreatesPackageOwnerRequestSendsEmailAndReturnsPendingState()
             {
                 var controller = GetController<JsonApiController>();
-                controller.SetUser(Fakes.Owner);
+                GetMock<HttpContextBase>()
+                    .Setup(c => c.User)
+                    .Returns(Fakes.Owner.ToPrincipal());
 
                 GetMock<IPackageService>()
                     .Setup(p => p.CreatePackageOwnerRequest(Fakes.Package, Fakes.Owner, Fakes.User))
diff --git a/tests/NuGetGallery.Facts/Controllers/PackagesControllerFacts.cs b/tests/NuGetGallery.Facts/Controllers/PackagesControllerFacts.cs
index d93de64d02..15e7a5bbf2 100644
--- a/tests/NuGetGallery.Facts/Controllers/PackagesControllerFacts.cs
+++ b/tests/NuGetGallery.Facts/Controllers/PackagesControllerFacts.cs
@@ -25,11 +25,9 @@ public class PackagesControllerFacts
         private static PackagesController CreateController(
             Mock<IPackageService> packageService = null,
             Mock<IUploadFileService> uploadFileService = null,
-            Mock<IUserService> userService = null,
             Mock<IMessageService> messageService = null,
             Mock<HttpContextBase> httpContext = null,
             Mock<EditPackageService> editPackageService = null,
-            IPrincipal fakeUser = null,
             Mock<INupkg> fakeNuGetPackage = null,
             Mock<ISearchService> searchService = null,
             Exception readPackageException = null,
@@ -49,7 +47,6 @@ private static PackagesController CreateController(
                 uploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(null));
                 uploadFileService.Setup(x => x.SaveUploadFileAsync(42, It.IsAny<Stream>())).Returns(Task.FromResult(0));
             }
-            userService = userService ?? new Mock<IUserService>();
             messageService = messageService ?? new Mock<IMessageService>();
             searchService = searchService ?? CreateSearchService();
             autoCuratePackageCmd = autoCuratePackageCmd ?? new Mock<IAutomaticallyCuratePackageCommand>();
@@ -73,7 +70,6 @@ private static PackagesController CreateController(
             var controller = new Mock<PackagesController>(
                 packageService.Object,
                 uploadFileService.Object,
-                userService.Object,
                 messageService.Object,
                 searchService.Object,
                 autoCuratePackageCmd.Object,
@@ -83,15 +79,13 @@ private static PackagesController CreateController(
                 config.Object,
                 indexingService.Object,
                 cacheService.Object,
-                editPackageService.Object,
-                fakeUser);
+                editPackageService.Object);
             controller.CallBase = true;
+            controller.Object.OwinContext = Fakes.CreateOwinContext();
 
-            if (httpContext != null)
-            {
-                TestUtility.SetupHttpContextMockForUrlGeneration(httpContext, controller.Object);
-            }
-
+            httpContext = httpContext ?? new Mock<HttpContextBase>();
+            TestUtility.SetupHttpContextMockForUrlGeneration(httpContext, controller.Object);
+            
             if (readPackageException != null)
             {
                 controller.Setup(x => x.CreatePackage(It.IsAny<Stream>())).Throws(readPackageException);
@@ -125,14 +119,11 @@ public class TheCancelVerifyPackageAction
             [Fact]
             public async Task DeletesTheInProgressPackageUpload()
             {
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
                 var fakeUploadFileService = new Mock<IUploadFileService>();
                 fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(42)).Returns(Task.FromResult(0));
                 var controller = CreateController(
-                    uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal);
+                    uploadFileService: fakeUploadFileService);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 await controller.CancelUpload();
 
@@ -142,21 +133,16 @@ public async Task DeletesTheInProgressPackageUpload()
             [Fact]
             public async Task RedirectsToUploadPageAfterDelete()
             {
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
                 var fakeUploadFileService = new Mock<IUploadFileService>();
                 fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(42)).Returns(Task.FromResult(0));
                 var controller = CreateController(
-                    uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal);
+                    uploadFileService: fakeUploadFileService);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 var result = await controller.CancelUpload() as RedirectToRouteResult;
 
                 Assert.False(result.Permanent);
                 Assert.Equal("UploadPackage", result.RouteValues["Action"]);
-                // TODO: Figure out why the RouteValues collection no longer contains "Controller" parameter
-                //Assert.Equal("Packages", result.RouteValues["Controller"]);
             }
         }
 
@@ -203,8 +189,8 @@ public void GivenAValidPackageThatTheCurrentUserDoesNotOwnItDisplaysCurrentMetad
                 // Arrange
                 var packageService = new Mock<IPackageService>();
                 var controller = CreateController(
-                    packageService: packageService,
-                    fakeUser: TestUtility.FakePrincipal);
+                    packageService: packageService);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 packageService.Setup(p => p.FindPackageByIdAndVersion("Foo", "1.1.1", true))
                               .Returns(new Package()
@@ -240,8 +226,8 @@ public void GivenAValidPackageThatTheCurrentUserOwnsItDisablesResponseCaching()
                 var controller = CreateController(
                     packageService: packageService,
                     editPackageService: editPackageService,
-                    httpContext: httpContext,
-                    fakeUser: TestUtility.FakePrincipal);
+                    httpContext: httpContext);
+                controller.SetCurrentUser(TestUtility.FakeUser);
                 httpContext.Setup(c => c.Response.Cache).Returns(httpCachePolicy.Object);
 
                 httpCachePolicy.Setup(c => c.SetCacheability(HttpCacheability.NoCache)).Verifiable();
@@ -283,8 +269,8 @@ public void GivenAValidPackageThatTheCurrentUserOwnsWithNoEditsItDisplaysCurrent
                 var controller = CreateController(
                     packageService: packageService,
                     editPackageService: editPackageService,
-                    httpContext: httpContext,
-                    fakeUser: TestUtility.FakePrincipal);
+                    httpContext: httpContext);
+                controller.SetCurrentUser(TestUtility.FakeUser);
                 httpContext.Setup(c => c.Response.Cache).Returns(httpCachePolicy.Object);
 
                 var package = new Package()
@@ -327,8 +313,8 @@ public void GivenAValidPackageThatTheCurrentUserOwnsWithEditsItDisplaysEditedMet
                 var controller = CreateController(
                     packageService: packageService,
                     editPackageService: editPackageService,
-                    httpContext: httpContext,
-                    fakeUser: TestUtility.FakePrincipal);
+                    httpContext: httpContext);
+                controller.SetCurrentUser(TestUtility.FakeUser);
                 httpContext.Setup(c => c.Response.Cache).Returns(httpCachePolicy.Object);
                 var package = new Package()
                 {
@@ -370,10 +356,9 @@ public void WithEmptyTokenReturnsHttpNotFound()
             {
                 var packageService = new Mock<IPackageService>();
                 packageService.Setup(p => p.FindPackageRegistrationById("foo")).Returns(new PackageRegistration());
-                var userService = new Mock<IUserService>();
-                userService.Setup(u => u.FindByUsername("username")).Returns(new User { Username = "username" });
-                var controller = CreateController(packageService: packageService, userService: userService);
-
+                var controller = CreateController(packageService: packageService);
+                controller.SetCurrentUser(new User { Username = "username" });
+                
                 var result = controller.ConfirmOwner("foo", "username", "");
 
                 Assert.IsType<HttpNotFoundResult>(result);
@@ -382,66 +367,29 @@ public void WithEmptyTokenReturnsHttpNotFound()
             [Fact]
             public void WithNonExistentPackageIdReturnsHttpNotFound()
             {
-                var userService = new Mock<IUserService>();
-                userService.Setup(u => u.FindByUsername("username")).Returns(new User { Username = "username" });
-                var httpContext = new Mock<HttpContextBase>();
-                httpContext.Setup(c => c.User.Identity.Name).Returns("username");
-                var controller = CreateController(userService: userService, httpContext: httpContext);
-
-                var result = controller.ConfirmOwner("foo", "username", "token");
-
-                Assert.IsType<HttpNotFoundResult>(result);
-            }
-
-            [Fact]
-            public void WithNonExistentUserReturnsHttpNotFound()
-            {
-                var httpContext = new Mock<HttpContextBase>();
-                httpContext.Setup(c => c.User.Identity.Name).Returns("username");
-                var packageService = new Mock<IPackageService>();
-                packageService.Setup(p => p.FindPackageRegistrationById("foo")).Returns(new PackageRegistration());
-                var controller = CreateController(packageService: packageService, httpContext: httpContext);
-
+                // Arrange
+                var controller = CreateController();
+                controller.SetCurrentUser(new User { Username = "username" });
+                
+                // Act
                 var result = controller.ConfirmOwner("foo", "username", "token");
-
+                
+                // Assert
                 Assert.IsType<HttpNotFoundResult>(result);
             }
 
             [Fact]
             public void WithIdentityNotMatchingUserInRequestReturnsViewWithMessage()
             {
-                var httpContext = new Mock<HttpContextBase>();
-                httpContext.Setup(c => c.User.Identity.Name).Returns("userA");
-                var controller = CreateController(httpContext: httpContext);
-
+                var controller = CreateController();
+                controller.SetCurrentUser("userA");
                 var result = controller.ConfirmOwner("foo", "userB", "token");
-
+                
                 var model = ResultAssert.IsView<PackageOwnerConfirmationModel>(result);
                 Assert.Equal(ConfirmOwnershipResult.NotYourRequest, model.Result);
                 Assert.Equal("userB", model.Username);
             }
 
-            [Fact]
-            public void RequiresUserBeLoggedInToConfirm()
-            {
-                var package = new PackageRegistration { Id = "foo" };
-                var user = new User { Username = "username" };
-                var packageService = new Mock<IPackageService>();
-                packageService.Setup(p => p.FindPackageRegistrationById("foo")).Returns(package);
-                packageService.Setup(p => p.ConfirmPackageOwner(package, user, "token")).Returns(ConfirmOwnershipResult.Success);
-                var userService = new Mock<IUserService>();
-                userService.Setup(u => u.FindByUsername("username")).Returns(user);
-                var httpContext = new Mock<HttpContextBase>();
-                httpContext.Setup(c => c.User.Identity.Name).Returns("not-username");
-                var controller = CreateController(packageService: packageService, userService: userService, httpContext: httpContext);
-
-                var result = controller.ConfirmOwner("foo", "username", "token");
-
-                var viewModel = ResultAssert.IsView<PackageOwnerConfirmationModel>(result);
-                Assert.Equal("username", viewModel.Username);
-                Assert.Equal(ConfirmOwnershipResult.NotYourRequest, viewModel.Result);
-            }
-
             [Theory]
             [InlineData(ConfirmOwnershipResult.Success)]
             [InlineData(ConfirmOwnershipResult.AlreadyOwner)]
@@ -453,12 +401,9 @@ public void AcceptsResultOfPackageServiceIfOtherwiseValid(ConfirmOwnershipResult
                 var packageService = new Mock<IPackageService>();
                 packageService.Setup(p => p.FindPackageRegistrationById("foo")).Returns(package);
                 packageService.Setup(p => p.ConfirmPackageOwner(package, user, "token")).Returns(confirmationResult);
-                var userService = new Mock<IUserService>();
-                userService.Setup(u => u.FindByUsername("username")).Returns(user);
-                var httpContext = new Mock<HttpContextBase>();
-                httpContext.Setup(c => c.User.Identity.Name).Returns("username");
-                var controller = CreateController(packageService: packageService, userService: userService, httpContext: httpContext);
-
+                var controller = CreateController(packageService: packageService);
+                controller.SetCurrentUser(user);
+                
                 var result = controller.ConfirmOwner("foo", "username", "token");
 
                 var model = ResultAssert.IsView<PackageOwnerConfirmationModel>(result);
@@ -508,16 +453,11 @@ public void HtmlEncodesMessageContent()
 
                 var packageService = new Mock<IPackageService>();
                 packageService.Setup(p => p.FindPackageRegistrationById("factory")).Returns(package);
-                var httpContext = new Mock<HttpContextBase>();
-                httpContext.Setup(h => h.User.Identity.Name).Returns("Montgomery");
                 var userService = new Mock<IUserService>();
-                userService.Setup(u => u.FindByUsername("Montgomery")).Returns(
-                    new User { EmailAddress = "montgomery@burns.example.com", Username = "Montgomery" });
                 var controller = CreateController(
                     packageService: packageService,
-                    messageService: messageService,
-                    userService: userService,
-                    httpContext: httpContext);
+                    messageService: messageService);
+                controller.SetCurrentUser(new User { EmailAddress = "montgomery@burns.example.com", Username = "Montgomery" });
                 var model = new ContactOwnersViewModel
                 {
                     Message = "I like the cut of your jib. It's <b>bold</b>.",
@@ -542,17 +482,11 @@ public void CallsSendContactOwnersMessageWithUserInfo()
 
                 var packageService = new Mock<IPackageService>();
                 packageService.Setup(p => p.FindPackageRegistrationById("factory")).Returns(package);
-                var httpContext = new Mock<HttpContextBase>();
-                httpContext.Setup(h => h.User.Identity.Name).Returns("Montgomery");
                 var userService = new Mock<IUserService>();
-                userService.Setup(u => u.FindByUsername("Montgomery")).Returns(
-                    new User { EmailAddress = "montgomery@burns.example.com", Username = "Montgomery" });
                 var controller = CreateController(
                     packageService: packageService,
-                    messageService: messageService,
-                    userService: userService,
-                    httpContext: httpContext,
-                    fakeUser: Fakes.User.ToPrincipal());
+                    messageService: messageService);
+                controller.SetCurrentUser(new User { EmailAddress = "montgomery@burns.example.com", Username = "Montgomery" });
                 var model = new ContactOwnersViewModel
                     {
                         Message = "I like the cut of your jib",
@@ -583,13 +517,10 @@ public void UpdatesUnlistedIfSelected()
                 packageService.Setup(svc => svc.MarkPackageUnlisted(It.IsAny<Package>(), It.IsAny<bool>())).Verifiable();
                 packageService.Setup(svc => svc.FindPackageByIdAndVersion("Foo", "1.0", true)).Returns(package).Verifiable();
 
-                var httpContext = new Mock<HttpContextBase>();
-                httpContext.Setup(h => h.Request.IsAuthenticated).Returns(true);
-                httpContext.Setup(h => h.User.Identity.Name).Returns("Frodo");
-
                 var indexingService = new Mock<IIndexingService>();
 
-                var controller = CreateController(packageService: packageService, httpContext: httpContext, indexingService: indexingService);
+                var controller = CreateController(packageService: packageService, indexingService: indexingService);
+                controller.SetCurrentUser("Frodo");
                 controller.Url = new UrlHelper(new RequestContext(), new RouteCollection());
 
                 // Act
@@ -619,13 +550,10 @@ public void UpdatesUnlistedIfNotSelected()
                 packageService.Setup(svc => svc.MarkPackageUnlisted(It.IsAny<Package>(), It.IsAny<bool>())).Throws(new Exception("Shouldn't be called"));
                 packageService.Setup(svc => svc.FindPackageByIdAndVersion("Foo", "1.0", true)).Returns(package).Verifiable();
 
-                var httpContext = new Mock<HttpContextBase>();
-                httpContext.Setup(h => h.Request.IsAuthenticated).Returns(true);
-                httpContext.Setup(h => h.User.Identity.Name).Returns("Frodo");
-
                 var indexingService = new Mock<IIndexingService>();
 
-                var controller = CreateController(packageService: packageService, httpContext: httpContext, indexingService: indexingService);
+                var controller = CreateController(packageService: packageService, indexingService: indexingService);
+                controller.SetCurrentUser("Frodo");
                 controller.Url = new UrlHelper(new RequestContext(), new RouteCollection());
 
                 // Act
@@ -644,11 +572,9 @@ public class TheListPackagesMethod
             [Fact]
             public void TrimsSearchTerm()
             {
-                var fakeIdentity = new Mock<IIdentity>();
-                var httpContext = new Mock<HttpContextBase>();
                 var searchService = new Mock<ISearchService>();
-
-                var controller = CreateController(fakeUser: TestUtility.FakePrincipal, httpContext: httpContext, searchService: searchService);
+                var controller = CreateController(searchService: searchService);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 var result = controller.ListPackages(" test ") as ViewResult;
 
@@ -673,7 +599,6 @@ public void SendsMessageToGalleryOwnerWithEmailOnlyWhenUnauthenticated()
                 var packageService = new Mock<IPackageService>();
                 packageService.Setup(p => p.FindPackageByIdAndVersion("mordor", "2.0.1", true)).Returns(package);
                 var httpContext = new Mock<HttpContextBase>();
-                httpContext.Setup(h => h.Request.IsAuthenticated).Returns(false);
                 var controller = CreateController(
                     packageService: packageService,
                     messageService: messageService,
@@ -706,6 +631,7 @@ public void SendsMessageToGalleryOwnerWithUserInfoWhenAuthenticated()
                 var messageService = new Mock<IMessageService>();
                 messageService.Setup(
                     s => s.ReportAbuse(It.Is<ReportPackageRequest>(r => r.Message == "Mordor took my finger")));
+                var user = new User { EmailAddress = "frodo@hobbiton.example.com", Username = "Frodo", Key = 1 };
                 var package = new Package
                     {
                         PackageRegistration = new PackageRegistration { Id = "mordor" },
@@ -714,26 +640,21 @@ public void SendsMessageToGalleryOwnerWithUserInfoWhenAuthenticated()
                 var packageService = new Mock<IPackageService>();
                 packageService.Setup(p => p.FindPackageByIdAndVersion("mordor", It.IsAny<string>(), true)).Returns(package);
                 var httpContext = new Mock<HttpContextBase>();
-                httpContext.Setup(h => h.Request.IsAuthenticated).Returns(true);
-                httpContext.Setup(h => h.User.Identity.Name).Returns("Frodo");
-                var userService = new Mock<IUserService>();
-                userService.Setup(u => u.FindByUsername("Frodo")).Returns(new User { EmailAddress = "frodo@hobbiton.example.com", Username = "Frodo", Key = 1 });
                 var controller = CreateController(
                     packageService: packageService,
                     messageService: messageService,
-                    userService: userService,
                     httpContext: httpContext);
+                controller.SetCurrentUser(user);
                 var model = new ReportAbuseViewModel
                     {
                         Message = "Mordor took my finger",
-                        Reason = ReportPackageReason.IsFraudulent,
+                        Reason = ReportPackageReason.IsFraudulent
                     };
 
                 TestUtility.SetupUrlHelper(controller, httpContext);
                 ActionResult result = controller.ReportAbuse("mordor", "2.0.1", model) as RedirectResult;
 
                 Assert.NotNull(result);
-                userService.VerifyAll();
                 messageService.Verify(
                     s => s.ReportAbuse(
                         It.Is<ReportPackageRequest>(
@@ -746,22 +667,19 @@ public void SendsMessageToGalleryOwnerWithUserInfoWhenAuthenticated()
             [Fact]
             public void FormRedirectsPackageOwnerToReportMyPackage()
             {
+                var user = new User { EmailAddress = "darklord@mordor.com", Username = "Sauron" };
                 var package = new Package
                 {
-                    PackageRegistration = new PackageRegistration { Id = "Mordor", Owners = { new User { Username = "Sauron" } } },
+                    PackageRegistration = new PackageRegistration { Id = "Mordor", Owners = { user } },
                     Version = "2.0.1"
                 };
                 var packageService = new Mock<IPackageService>();
                 packageService.Setup(p => p.FindPackageByIdAndVersion("Mordor", It.IsAny<string>(), true)).Returns(package);
                 var httpContext = new Mock<HttpContextBase>();
-                httpContext.Setup(h => h.Request.IsAuthenticated).Returns(true);
-                httpContext.Setup(h => h.User.Identity.Name).Returns("Sauron");
-                var userService = new Mock<IUserService>();
-                userService.Setup(u => u.FindByUsername("Sauron")).Returns(new User { EmailAddress = "darklord@mordor.com", Username = "Sauron" });
                 var controller = CreateController(
                     packageService: packageService,
-                    userService: userService,
                     httpContext: httpContext);
+                controller.SetCurrentUser(user);
 
                 TestUtility.SetupUrlHelper(controller, httpContext);
                 ActionResult result = controller.ReportAbuse("Mordor", "2.0.1");
@@ -820,17 +738,14 @@ public void FormRedirectsNonOwnersToReportAbuse()
                     PackageRegistration = new PackageRegistration { Id = "Mordor", Owners = { new User { Username = "Sauron", Key = 1 } } },
                     Version = "2.0.1"
                 };
+                var user = new User { EmailAddress = "frodo@hobbiton.example.com", Username = "Frodo", Key = 2 };
                 var packageService = new Mock<IPackageService>();
                 packageService.Setup(p => p.FindPackageByIdAndVersion("Mordor", It.IsAny<string>(), true)).Returns(package);
                 var httpContext = new Mock<HttpContextBase>();
-                httpContext.Setup(h => h.Request.IsAuthenticated).Returns(true);
-                httpContext.Setup(h => h.User.Identity.Name).Returns("Frodo");
-                var userService = new Mock<IUserService>();
-                userService.Setup(u => u.FindByUsername("Frodo")).Returns(new User { EmailAddress = "frodo@hobbiton.example.com", Username = "Frodo", Key = 2 });
                 var controller = CreateController(
                     packageService: packageService,
-                    userService: userService,
                     httpContext: httpContext);
+                controller.SetCurrentUser(user);
 
                 TestUtility.SetupUrlHelper(controller, httpContext);
                 ActionResult result = controller.ReportMyPackage("Mordor", "2.0.1");
@@ -849,22 +764,18 @@ public void HtmlEncodesMessageContent()
                 };
                 var packageService = new Mock<IPackageService>();
                 packageService.Setup(p => p.FindPackageByIdAndVersion("mordor", "2.0.1", true)).Returns(package);
-                var httpContext = new Mock<HttpContextBase>();
-                httpContext.Setup(h => h.Request.IsAuthenticated).Returns(true);
-                httpContext.Setup(h => h.User.Identity.Name).Returns("Sauron");
-                var userService = new Mock<IUserService>();
-                userService.Setup(u => u.FindByUsername(user.Username)).Returns(user);
-
+                
                 ReportPackageRequest reportRequest = null;
                 var messageService = new Mock<IMessageService>();
                 messageService
                     .Setup(s => s.ReportMyPackage(It.IsAny<ReportPackageRequest>()))
                     .Callback<ReportPackageRequest>(r => reportRequest = r);
+                var httpContext = new Mock<HttpContextBase>();
                 var controller = CreateController(
                     packageService: packageService,
                     messageService: messageService,
-                    userService: userService,
                     httpContext: httpContext);
+                controller.SetCurrentUser(user);
                 var model = new ReportAbuseViewModel
                 {
                     Email = "frodo@hobbiton.example.com",
@@ -889,15 +800,12 @@ public class TheUploadFileActionForGetRequests
             [Fact]
             public async Task WillRedirectToVerifyPackageActionWhenThereIsAlreadyAnUploadInProgress()
             {
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
                 var fakeFileStream = new MemoryStream();
                 var fakeUploadFileService = new Mock<IUploadFileService>();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeFileStream));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeFileStream));
                 var controller = CreateController(
-                    uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal);
+                    uploadFileService: fakeUploadFileService);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 var result = await controller.UploadPackage() as RedirectToRouteResult;
 
@@ -909,14 +817,11 @@ public async Task WillRedirectToVerifyPackageActionWhenThereIsAlreadyAnUploadInP
             [Fact]
             public async Task WillShowTheViewWhenThereIsNoUploadInProgress()
             {
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
                 var fakeUploadFileService = new Mock<IUploadFileService>();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(null));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(null));
                 var controller = CreateController(
-                    uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal);
+                    uploadFileService: fakeUploadFileService);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 var result = await controller.UploadPackage() as ViewResult;
 
@@ -929,15 +834,12 @@ public class TheUploadFileActionForPostRequests
             [Fact]
             public async Task WillReturn409WhenThereIsAlreadyAnUploadInProgress()
             {
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
                 var fakeFileStream = new MemoryStream();
                 var fakeUploadFileService = new Mock<IUploadFileService>();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeFileStream));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeFileStream));
                 var controller = CreateController(
-                    uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal);
+                    uploadFileService: fakeUploadFileService);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 var result = await controller.UploadPackage(null) as HttpStatusCodeResult;
 
@@ -949,11 +851,8 @@ public async Task WillReturn409WhenThereIsAlreadyAnUploadInProgress()
             [Fact]
             public async Task WillShowViewWithErrorsIfPackageFileIsNull()
             {
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
-                var controller = CreateController(
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal);
+                var controller = CreateController();
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 var result = await controller.UploadPackage(null) as ViewResult;
 
@@ -967,11 +866,8 @@ public async Task WillShowViewWithErrorsIfFileIsNotANuGetPackage()
             {
                 var fakeUploadedFile = new Mock<HttpPostedFileBase>();
                 fakeUploadedFile.Setup(x => x.FileName).Returns("theFile.notNuPkg");
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
-                var controller = CreateController(
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal);
+                var controller = CreateController();
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 var result = await controller.UploadPackage(fakeUploadedFile.Object) as ViewResult;
 
@@ -985,14 +881,11 @@ public async Task WillShowViewWithErrorsIfNuGetPackageIsInvalid()
             {
                 var fakeUploadedFile = new Mock<HttpPostedFileBase>();
                 fakeUploadedFile.Setup(x => x.FileName).Returns("theFile.nupkg");
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
                 var readPackageException = new Exception();
 
                 var controller = CreateController(
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     readPackageException: readPackageException);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 var result = await controller.UploadPackage(fakeUploadedFile.Object) as ViewResult;
 
@@ -1006,15 +899,12 @@ public async Task WillShowTheViewWithErrorsWhenThePackageIdIsAlreadyBeingUsed()
             {
                 var fakeUploadedFile = new Mock<HttpPostedFileBase>();
                 fakeUploadedFile.Setup(x => x.FileName).Returns("theFile.nupkg");
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
                 var fakePackageRegistration = new PackageRegistration { Id = "theId", Owners = new[] { new User { Key = 1 /* not the current user */ } } };
                 var fakePackageService = new Mock<IPackageService>();
                 fakePackageService.Setup(x => x.FindPackageRegistrationById(It.IsAny<string>())).Returns(fakePackageRegistration);
                 var controller = CreateController(
-                    packageService: fakePackageService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal);
+                    packageService: fakePackageService);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 var result = await controller.UploadPackage(fakeUploadedFile.Object) as ViewResult;
 
@@ -1028,15 +918,12 @@ public async Task WillShowTheViewWithErrorsWhenThePackageAlreadyExists()
             {
                 var fakeUploadedFile = new Mock<HttpPostedFileBase>();
                 fakeUploadedFile.Setup(x => x.FileName).Returns("theFile.nupkg");
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
                 var fakePackageService = new Mock<IPackageService>();
                 fakePackageService.Setup(x => x.FindPackageByIdAndVersion(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<bool>())).Returns(
                     new Package { PackageRegistration = new PackageRegistration { Id = "theId" }, Version = "theVersion" });
                 var controller = CreateController(
-                    packageService: fakePackageService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal);
+                    packageService: fakePackageService);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 var result = await controller.UploadPackage(fakeUploadedFile.Object) as ViewResult;
 
@@ -1054,24 +941,21 @@ public async Task WillSaveTheUploadFile()
                 fakeUploadedFile.Setup(x => x.FileName).Returns("theFile.nupkg");
                 var fakeFileStream = new MemoryStream();
                 fakeUploadedFile.Setup(x => x.InputStream).Returns(fakeFileStream);
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
                 var fakeNuGetPackage = new Mock<INupkg>();
                 fakeNuGetPackage.Setup(p => p.Metadata.Id).Returns("thePackageId");
                 fakeNuGetPackage.Setup(x => x.GetStream()).Returns(fakeFileStream);
                 var fakeUploadFileService = new Mock<IUploadFileService>();
-                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(42)).Returns(Task.FromResult(0));
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(null));
-                fakeUploadFileService.Setup(x => x.SaveUploadFileAsync(42, It.IsAny<Stream>())).Returns(Task.FromResult(0));
+                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult(0));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(null));
+                fakeUploadFileService.Setup(x => x.SaveUploadFileAsync(TestUtility.FakeUser.Key, It.IsAny<Stream>())).Returns(Task.FromResult(0));
                 var controller = CreateController(
                     uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     fakeNuGetPackage: fakeNuGetPackage);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 await controller.UploadPackage(fakeUploadedFile.Object);
 
-                fakeUploadFileService.Verify(x => x.SaveUploadFileAsync(42, fakeFileStream));
+                fakeUploadFileService.Verify(x => x.SaveUploadFileAsync(TestUtility.FakeUser.Key, fakeFileStream));
                 fakeFileStream.Dispose();
             }
 
@@ -1082,16 +966,13 @@ public async Task WillRedirectToVerifyPackageActionAfterSaving()
                 fakeUploadedFile.Setup(x => x.FileName).Returns("theFile.nupkg");
                 var fakeFileStream = new MemoryStream();
                 fakeUploadedFile.Setup(x => x.InputStream).Returns(fakeFileStream);
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
                 var fakeUploadFileService = new Mock<IUploadFileService>();
-                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(42)).Returns(Task.FromResult(0));
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(null));
-                fakeUploadFileService.Setup(x => x.SaveUploadFileAsync(42, It.IsAny<Stream>())).Returns(Task.FromResult(0));
+                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult(0));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(null));
+                fakeUploadFileService.Setup(x => x.SaveUploadFileAsync(TestUtility.FakeUser.Key, It.IsAny<Stream>())).Returns(Task.FromResult(0));
                 var controller = CreateController(
-                    uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal);
+                    uploadFileService: fakeUploadFileService);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 var result = await controller.UploadPackage(fakeUploadedFile.Object) as RedirectToRouteResult;
 
@@ -1105,16 +986,13 @@ public class TheVerifyPackageActionForGetRequests
             [Fact]
             public async Task WillRedirectToUploadPackagePageWhenThereIsNoUploadInProgress()
             {
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
                 var fakeUploadFileService = new Mock<IUploadFileService>();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns<Stream>(null);
-                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(42)).Returns(Task.FromResult(0));
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(null));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns<Stream>(null);
+                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult(0));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(null));
                 var controller = CreateController(
-                    uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal);
+                    uploadFileService: fakeUploadFileService);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 var result = await controller.VerifyPackage() as RedirectToRouteResult;
 
@@ -1125,18 +1003,15 @@ public async Task WillRedirectToUploadPackagePageWhenThereIsNoUploadInProgress()
             [Fact]
             public async Task WillPassThePackageIdToTheView()
             {
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
                 var fakeUploadFileService = new Mock<IUploadFileService>();
                 var fakeUploadFileStream = new MemoryStream();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeUploadFileStream));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeUploadFileStream));
                 var fakeNuGetPackage = new Mock<INupkg>();
                 fakeNuGetPackage.Setup(x => x.Metadata.Id).Returns("theId");
                 var controller = CreateController(
                     uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     fakeNuGetPackage: fakeNuGetPackage);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 var model = ((ViewResult)await controller.VerifyPackage()).Model as VerifyPackageRequest;
 
@@ -1147,18 +1022,15 @@ public async Task WillPassThePackageIdToTheView()
             [Fact]
             public async Task WillPassThePackageVersionToTheView()
             {
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
                 var fakeUploadFileService = new Mock<IUploadFileService>();
                 var fakeUploadFileStream = new MemoryStream();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeUploadFileStream));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeUploadFileStream));
                 var fakeNuGetPackage = new Mock<INupkg>();
                 fakeNuGetPackage.Setup(x => x.Metadata.Version).Returns(new SemanticVersion("1.0.42"));
                 var controller = CreateController(
                     uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     fakeNuGetPackage: fakeNuGetPackage);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 var model = ((ViewResult)await controller.VerifyPackage()).Model as VerifyPackageRequest;
 
@@ -1169,18 +1041,15 @@ public async Task WillPassThePackageVersionToTheView()
             [Fact]
             public async Task WillPassThePackageTitleToTheView()
             {
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
                 var fakeUploadFileService = new Mock<IUploadFileService>();
                 var fakeUploadFileStream = new MemoryStream();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeUploadFileStream));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeUploadFileStream));
                 var fakeNuGetPackage = new Mock<INupkg>();
                 fakeNuGetPackage.Setup(x => x.Metadata.Title).Returns("theTitle");
                 var controller = CreateController(
                     uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     fakeNuGetPackage: fakeNuGetPackage);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 var model = ((ViewResult)await controller.VerifyPackage()).Model as VerifyPackageRequest;
 
@@ -1191,18 +1060,15 @@ public async Task WillPassThePackageTitleToTheView()
             [Fact]
             public async Task WillPassThePackageSummaryToTheView()
             {
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
                 var fakeUploadFileService = new Mock<IUploadFileService>();
                 var fakeUploadFileStream = new MemoryStream();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeUploadFileStream));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeUploadFileStream));
                 var fakeNuGetPackage = new Mock<INupkg>();
                 fakeNuGetPackage.Setup(x => x.Metadata.Summary).Returns("theSummary");
                 var controller = CreateController(
                     uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     fakeNuGetPackage: fakeNuGetPackage);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 var model = ((ViewResult)await controller.VerifyPackage()).Model as VerifyPackageRequest;
 
@@ -1213,18 +1079,15 @@ public async Task WillPassThePackageSummaryToTheView()
             [Fact]
             public async Task WillPassThePackageDescriptionToTheView()
             {
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
                 var fakeUploadFileService = new Mock<IUploadFileService>();
                 var fakeUploadFileStream = new MemoryStream();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeUploadFileStream));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeUploadFileStream));
                 var fakeNuGetPackage = new Mock<INupkg>();
                 fakeNuGetPackage.Setup(x => x.Metadata.Description).Returns("theDescription");
                 var controller = CreateController(
                     uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     fakeNuGetPackage: fakeNuGetPackage);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 var model = ((ViewResult)await controller.VerifyPackage()).Model as VerifyPackageRequest;
 
@@ -1235,18 +1098,15 @@ public async Task WillPassThePackageDescriptionToTheView()
             [Fact]
             public async Task WillPassThePackageLicenseAcceptanceRequirementToTheView()
             {
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
                 var fakeUploadFileService = new Mock<IUploadFileService>();
                 var fakeUploadFileStream = new MemoryStream();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeUploadFileStream));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeUploadFileStream));
                 var fakeNuGetPackage = new Mock<INupkg>();
                 fakeNuGetPackage.Setup(x => x.Metadata.RequireLicenseAcceptance).Returns(true);
                 var controller = CreateController(
                     uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     fakeNuGetPackage: fakeNuGetPackage);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 var model = ((ViewResult)await controller.VerifyPackage()).Model as VerifyPackageRequest;
 
@@ -1257,18 +1117,15 @@ public async Task WillPassThePackageLicenseAcceptanceRequirementToTheView()
             [Fact]
             public async Task WillPassThePackageLicenseUrlToTheView()
             {
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
                 var fakeUploadFileService = new Mock<IUploadFileService>();
                 var fakeUploadFileStream = new MemoryStream();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeUploadFileStream));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeUploadFileStream));
                 var fakeNuGetPackage = new Mock<INupkg>();
                 fakeNuGetPackage.Setup(x => x.Metadata.LicenseUrl).Returns(new Uri("http://theLicenseUri"));
                 var controller = CreateController(
                     uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     fakeNuGetPackage: fakeNuGetPackage);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 var model = ((ViewResult)await controller.VerifyPackage()).Model as VerifyPackageRequest;
 
@@ -1279,18 +1136,15 @@ public async Task WillPassThePackageLicenseUrlToTheView()
             [Fact]
             public async Task WillPassThePackageTagsToTheView()
             {
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
                 var fakeUploadFileService = new Mock<IUploadFileService>();
                 var fakeUploadFileStream = new MemoryStream();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeUploadFileStream));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeUploadFileStream));
                 var fakeNuGetPackage = new Mock<INupkg>();
                 fakeNuGetPackage.Setup(x => x.Metadata.Tags).Returns("theTags");
                 var controller = CreateController(
                     uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     fakeNuGetPackage: fakeNuGetPackage);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 var model = ((ViewResult)await controller.VerifyPackage()).Model as VerifyPackageRequest;
 
@@ -1301,18 +1155,15 @@ public async Task WillPassThePackageTagsToTheView()
             [Fact]
             public async Task WillPassThePackageProjectUrlToTheView()
             {
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
                 var fakeUploadFileService = new Mock<IUploadFileService>();
                 var fakeUploadFileStream = new MemoryStream();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeUploadFileStream));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeUploadFileStream));
                 var fakeNuGetPackage = new Mock<INupkg>();
                 fakeNuGetPackage.Setup(x => x.Metadata.ProjectUrl).Returns(new Uri("http://theProjectUri"));
                 var controller = CreateController(
                     uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     fakeNuGetPackage: fakeNuGetPackage);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 var model = ((ViewResult)await controller.VerifyPackage()).Model as VerifyPackageRequest;
 
@@ -1323,18 +1174,15 @@ public async Task WillPassThePackageProjectUrlToTheView()
             [Fact]
             public async Task WillPassThePackagAuthorsToTheView()
             {
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
                 var fakeUploadFileService = new Mock<IUploadFileService>();
                 var fakeUploadFileStream = new MemoryStream();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeUploadFileStream));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeUploadFileStream));
                 var fakeNuGetPackage = new Mock<INupkg>();
                 fakeNuGetPackage.Setup(x => x.Metadata.Authors).Returns(new[] { "firstAuthor", "secondAuthor" });
                 var controller = CreateController(
                     uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     fakeNuGetPackage: fakeNuGetPackage);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 var model = ((ViewResult)await controller.VerifyPackage()).Model as VerifyPackageRequest;
 
@@ -1348,16 +1196,13 @@ public class TheVerifyPackageActionForPostRequests
             [Fact]
             public async Task WillRedirectToUploadPageWhenThereIsNoUploadInProgress()
             {
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(new User { Key = 42 });
                 var fakeUploadFileService = new Mock<IUploadFileService>();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(null));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(null));
                 var controller = CreateController(
-                    uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal);
-
+                    uploadFileService: fakeUploadFileService);
                 TestUtility.SetupUrlHelperForUrlGeneration(controller, new Uri("http://uploadpackage.xyz"));
+                controller.SetCurrentUser(TestUtility.FakeUser);
+
                 var result = await controller.VerifyPackage(new VerifyPackageRequest() { Listed = true, Edit = null }) as RedirectResult;
 
                 Assert.NotNull(result);
@@ -1366,13 +1211,10 @@ public async Task WillRedirectToUploadPageWhenThereIsNoUploadInProgress()
             [Fact]
             public async Task WillCreateThePackage()
             {
-                var fakeCurrentUser = new User { Key = 42 };
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(fakeCurrentUser);
                 var fakeUploadFileService = new Mock<IUploadFileService>();
                 var fakeFileStream = new MemoryStream();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeFileStream));
-                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(42)).Returns(Task.FromResult(0));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeFileStream));
+                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult(0));
                 var fakePackageService = new Mock<IPackageService>();
                 fakePackageService.Setup(x => x.CreatePackage(It.IsAny<INupkg>(), It.IsAny<User>(), It.IsAny<bool>())).Returns(
                     new Package { PackageRegistration = new PackageRegistration { Id = "theId" }, Version = "theVersion" });
@@ -1381,13 +1223,12 @@ public async Task WillCreateThePackage()
                 var controller = CreateController(
                     packageService: fakePackageService,
                     uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     fakeNuGetPackage: fakeNuGetPackage);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 await controller.VerifyPackage(new VerifyPackageRequest() { Listed = true, Edit = null });
 
-                fakePackageService.Verify(x => x.CreatePackage(fakeNuGetPackage.Object, fakeCurrentUser, false));
+                fakePackageService.Verify(x => x.CreatePackage(fakeNuGetPackage.Object, TestUtility.FakeUser, false));
                 fakeFileStream.Dispose();
             }
 
@@ -1395,13 +1236,10 @@ public async Task WillCreateThePackage()
             public async Task WillSavePackageToFileStorage()
             {
                 // Arrange
-                var fakeCurrentUser = new User { Key = 42 };
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(fakeCurrentUser);
                 var fakeUploadFileService = new Mock<IUploadFileService>();
                 var fakeFileStream = new MemoryStream();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeFileStream));
-                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(42)).Returns(Task.FromResult(0));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeFileStream));
+                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult(0));
                 var fakePackageService = new Mock<IPackageService>();
                 var fakePackage = new Package { PackageRegistration = new PackageRegistration { Id = "theId" }, Version = "theVersion" };
                 fakePackageService.Setup(x => x.CreatePackage(It.IsAny<INupkg>(), It.IsAny<User>(), It.IsAny<bool>())).Returns(fakePackage);
@@ -1412,16 +1250,15 @@ public async Task WillSavePackageToFileStorage()
                 var controller = CreateController(
                     packageService: fakePackageService,
                     uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     fakeNuGetPackage: fakeNuGetPackage,
                     packageFileService: fakePackageFileService);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 // Act
                 await controller.VerifyPackage(new VerifyPackageRequest() { Listed = true, Edit = null });
 
                 // Assert
-                fakePackageService.Verify(x => x.CreatePackage(fakeNuGetPackage.Object, fakeCurrentUser, false));
+                fakePackageService.Verify(x => x.CreatePackage(fakeNuGetPackage.Object, TestUtility.FakeUser, false));
                 fakePackageFileService.Verify();
                 fakeFileStream.Dispose();
             }
@@ -1430,13 +1267,10 @@ public async Task WillSavePackageToFileStorage()
             public async Task WillUpdateIndexingService()
             {
                 // Arrange
-                var fakeCurrentUser = new User { Key = 42 };
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(fakeCurrentUser);
                 var fakeUploadFileService = new Mock<IUploadFileService>();
                 var fakeFileStream = new MemoryStream();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeFileStream));
-                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(42)).Returns(Task.FromResult(0));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeFileStream));
+                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult(0));
                 var fakePackageService = new Mock<IPackageService>();
                 var fakePackage = new Package { PackageRegistration = new PackageRegistration { Id = "theId" }, Version = "theVersion" };
                 fakePackageService.Setup(x => x.CreatePackage(It.IsAny<INupkg>(), It.IsAny<User>(), It.IsAny<bool>())).Returns(fakePackage);
@@ -1450,11 +1284,10 @@ public async Task WillUpdateIndexingService()
                 var controller = CreateController(
                     packageService: fakePackageService,
                     uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     fakeNuGetPackage: fakeNuGetPackage,
                     packageFileService: fakePackageFileService,
                     indexingService: fakeIndexingService);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 // Act
                 await controller.VerifyPackage(new VerifyPackageRequest() { Listed = true, Edit = null });
@@ -1468,13 +1301,10 @@ public async Task WillUpdateIndexingService()
             public async Task WillSaveChangesToEntitiesContext()
             {
                 // Arrange
-                var fakeCurrentUser = new User { Key = 42 };
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(fakeCurrentUser);
                 var fakeUploadFileService = new Mock<IUploadFileService>();
                 var fakeFileStream = new MemoryStream();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeFileStream));
-                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(42)).Returns(Task.FromResult(0));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeFileStream));
+                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult(0));
                 var fakePackageService = new Mock<IPackageService>();
                 var fakePackage = new Package { PackageRegistration = new PackageRegistration { Id = "theId" }, Version = "theVersion" };
                 fakePackageService.Setup(x => x.CreatePackage(It.IsAny<INupkg>(), It.IsAny<User>(), It.IsAny<bool>())).Returns(fakePackage);
@@ -1486,10 +1316,9 @@ public async Task WillSaveChangesToEntitiesContext()
                 var controller = CreateController(
                     packageService: fakePackageService,
                     uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     fakeNuGetPackage: fakeNuGetPackage,
                     entitiesContext: entitiesContext);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 // Act
                 await controller.VerifyPackage(new VerifyPackageRequest() { Listed = true, Edit = null });
@@ -1503,13 +1332,10 @@ public async Task WillSaveChangesToEntitiesContext()
             public async Task WillNotCommitChangesToPackageService()
             {
                 // Arrange
-                var fakeCurrentUser = new User { Key = 42 };
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(fakeCurrentUser);
                 var fakeUploadFileService = new Mock<IUploadFileService>();
                 var fakeFileStream = new MemoryStream();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeFileStream));
-                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(42)).Returns(Task.FromResult(0));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeFileStream));
+                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult(0));
                 var fakePackageService = new Mock<IPackageService>(MockBehavior.Strict);
                 var fakePackage = new Package { PackageRegistration = new PackageRegistration { Id = "theId" }, Version = "theVersion" };
                 fakePackageService.Setup(x => x.CreatePackage(It.IsAny<INupkg>(), It.IsAny<User>(), false)).Returns(fakePackage);
@@ -1520,9 +1346,8 @@ public async Task WillNotCommitChangesToPackageService()
                 var controller = CreateController(
                     packageService: fakePackageService,
                     uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     fakeNuGetPackage: fakeNuGetPackage);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 // Act
                 await controller.VerifyPackage(new VerifyPackageRequest() { Listed = false, Edit = null });
@@ -1536,13 +1361,10 @@ public async Task WillNotCommitChangesToPackageService()
             [Fact]
             public async Task WillPublishThePackage()
             {
-                var fakeCurrentUser = new User { Key = 42 };
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(fakeCurrentUser);
                 var fakeUploadFileService = new Mock<IUploadFileService>();
                 var fakeFileStream = new MemoryStream();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeFileStream));
-                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(42)).Returns(Task.FromResult(0));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeFileStream));
+                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult(0));
                 var fakePackage = new Package { PackageRegistration = new PackageRegistration { Id = "theId" }, Version = "theVersion" };
                 var fakePackageService = new Mock<IPackageService>();
                 fakePackageService.Setup(x => x.CreatePackage(It.IsAny<INupkg>(), It.IsAny<User>(), It.IsAny<bool>())).Returns(fakePackage);
@@ -1550,9 +1372,8 @@ public async Task WillPublishThePackage()
                 var controller = CreateController(
                     packageService: fakePackageService,
                     uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     fakeNuGetPackage: fakeNuGetPackage);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 await controller.VerifyPackage(new VerifyPackageRequest() { Listed = true, Edit = null });
 
@@ -1563,13 +1384,10 @@ public async Task WillPublishThePackage()
             [Fact]
             public async Task WillMarkThePackageUnlistedWhenListedArgumentIsFalse()
             {
-                var fakeCurrentUser = new User { Key = 42 };
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(fakeCurrentUser);
                 var fakeUploadFileService = new Mock<IUploadFileService>();
                 var fakeFileStream = new MemoryStream();
-                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(42)).Returns(Task.FromResult(0));
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeFileStream));
+                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult(0));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeFileStream));
                 var fakePackageService = new Mock<IPackageService>();
                 fakePackageService.Setup(x => x.CreatePackage(It.IsAny<INupkg>(), It.IsAny<User>(), It.IsAny<bool>())).Returns(
                     new Package { PackageRegistration = new PackageRegistration { Id = "theId" }, Version = "theVersion" });
@@ -1577,9 +1395,8 @@ public async Task WillMarkThePackageUnlistedWhenListedArgumentIsFalse()
                 var controller = CreateController(
                     packageService: fakePackageService,
                     uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     fakeNuGetPackage: fakeNuGetPackage);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 await controller.VerifyPackage(new VerifyPackageRequest() { Listed = false, Edit = null });
 
@@ -1593,13 +1410,10 @@ public async Task WillMarkThePackageUnlistedWhenListedArgumentIsFalse()
             [InlineData(new object[] { true })]
             public async Task WillNotMarkThePackageUnlistedWhenListedArgumentIsNullorTrue(bool? listed)
             {
-                var fakeCurrentUser = new User { Key = 42 };
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(fakeCurrentUser);
                 var fakeUploadFileService = new Mock<IUploadFileService>();
                 var fakeFileStream = new MemoryStream();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeFileStream));
-                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(42)).Returns(Task.FromResult(0));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeFileStream));
+                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult(0));
                 var fakePackageService = new Mock<IPackageService>();
                 fakePackageService.Setup(x => x.CreatePackage(It.IsAny<INupkg>(), It.IsAny<User>(), It.IsAny<bool>())).Returns(
                     new Package { PackageRegistration = new PackageRegistration { Id = "theId" }, Version = "theVersion" });
@@ -1607,9 +1421,8 @@ public async Task WillNotMarkThePackageUnlistedWhenListedArgumentIsNullorTrue(bo
                 var controller = CreateController(
                     packageService: fakePackageService,
                     uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     fakeNuGetPackage: fakeNuGetPackage);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 await controller.VerifyPackage(new VerifyPackageRequest() { Listed = listed.GetValueOrDefault(true), Edit = null });
 
@@ -1620,13 +1433,10 @@ public async Task WillNotMarkThePackageUnlistedWhenListedArgumentIsNullorTrue(bo
             [Fact]
             public async Task WillDeleteTheUploadFile()
             {
-                var fakeCurrentUser = new User { Key = 42 };
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(fakeCurrentUser);
                 var fakeUploadFileService = new Mock<IUploadFileService>();
-                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(42)).Returns(Task.FromResult(0)).Verifiable();
+                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult(0)).Verifiable();
                 var fakeFileStream = new MemoryStream();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeFileStream));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeFileStream));
                 var fakePackageService = new Mock<IPackageService>();
                 fakePackageService.Setup(x => x.CreatePackage(It.IsAny<INupkg>(), It.IsAny<User>(), It.IsAny<bool>())).Returns(
                     new Package { PackageRegistration = new PackageRegistration { Id = "theId" }, Version = "theVersion" });
@@ -1634,9 +1444,8 @@ public async Task WillDeleteTheUploadFile()
                 var controller = CreateController(
                     packageService: fakePackageService,
                     uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     fakeNuGetPackage: fakeNuGetPackage);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 await controller.VerifyPackage(new VerifyPackageRequest() { Listed = false, Edit = null });
 
@@ -1647,14 +1456,11 @@ public async Task WillDeleteTheUploadFile()
             [Fact]
             public async Task WillSetAFlashMessage()
             {
-                var fakeCurrentUser = new User { Key = 42 };
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(fakeCurrentUser);
                 var fakeUploadFileService = new Mock<IUploadFileService>();
                 var fakeFileStream = new MemoryStream();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeFileStream));
-                fakeUploadFileService.Setup(x => x.SaveUploadFileAsync(42, It.IsAny<Stream>())).Returns(Task.FromResult(0));
-                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(42)).Returns(Task.FromResult(0));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeFileStream));
+                fakeUploadFileService.Setup(x => x.SaveUploadFileAsync(TestUtility.FakeUser.Key, It.IsAny<Stream>())).Returns(Task.FromResult(0));
+                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult(0));
                 var fakePackageService = new Mock<IPackageService>();
                 fakePackageService.Setup(x => x.CreatePackage(It.IsAny<INupkg>(), It.IsAny<User>(), It.IsAny<bool>())).Returns(
                     (new Package { PackageRegistration = new PackageRegistration { Id = "theId" }, Version = "theVersion" }));
@@ -1662,9 +1468,8 @@ public async Task WillSetAFlashMessage()
                 var controller = CreateController(
                     packageService: fakePackageService,
                     uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     fakeNuGetPackage: fakeNuGetPackage);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 await controller.VerifyPackage(new VerifyPackageRequest() { Listed = false, Edit = null });
 
@@ -1675,13 +1480,10 @@ public async Task WillSetAFlashMessage()
             [Fact]
             public async Task WillRedirectToPackagePage()
             {
-                var fakeCurrentUser = new User { Key = 42 };
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(fakeCurrentUser);
                 var fakeUploadFileService = new Mock<IUploadFileService>();
                 var fakeFileStream = new MemoryStream();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeFileStream));
-                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(42)).Returns(Task.FromResult(0));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeFileStream));
+                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult(0));
                 var fakePackageService = new Mock<IPackageService>();
                 fakePackageService.Setup(x => x.CreatePackage(It.IsAny<INupkg>(), It.IsAny<User>(), It.IsAny<bool>())).Returns(
                     (new Package { PackageRegistration = new PackageRegistration { Id = "theId" }, Version = "theVersion" }));
@@ -1689,9 +1491,8 @@ public async Task WillRedirectToPackagePage()
                 var controller = CreateController(
                     packageService: fakePackageService,
                     uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     fakeNuGetPackage: fakeNuGetPackage);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 var result = await controller.VerifyPackage(new VerifyPackageRequest() { Listed = false, Edit = null }) as RedirectToRouteResult;
 
@@ -1703,13 +1504,10 @@ public async Task WillRedirectToPackagePage()
             [Fact]
             public async Task WillCurateThePackage()
             {
-                var fakeCurrentUser = new User { Key = 42 };
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(fakeCurrentUser);
                 var fakeUploadFileService = new Mock<IUploadFileService>();
                 var fakeFileStream = new MemoryStream();
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(fakeFileStream));
-                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(42)).Returns(Task.FromResult(0));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(fakeFileStream));
+                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult(0));
                 var fakePackageService = new Mock<IPackageService>();
                 var fakePackage = new Package { PackageRegistration = new PackageRegistration { Id = "theId" }, Version = "theVersion" };
                 fakePackageService.Setup(x => x.CreatePackage(It.IsAny<INupkg>(), It.IsAny<User>(), It.IsAny<bool>())).Returns(fakePackage);
@@ -1718,10 +1516,9 @@ public async Task WillCurateThePackage()
                 var controller = CreateController(
                     packageService: fakePackageService,
                     uploadFileService: fakeUploadFileService,
-                    userService: fakeUserService,
-                    fakeUser: TestUtility.FakePrincipal,
                     fakeNuGetPackage: fakeNuGetPackage,
                     autoCuratePackageCmd: fakeAutoCuratePackageCmd);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 await controller.VerifyPackage(new VerifyPackageRequest() { Listed = false, Edit = null });
 
@@ -1732,12 +1529,9 @@ public async Task WillCurateThePackage()
             public async Task WillExtractNuGetExe()
             {
                 // Arrange
-                var fakeCurrentUser = new User { Key = 42 };
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(fakeCurrentUser);
                 var fakeUploadFileService = new Mock<IUploadFileService>();
-                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(42)).Returns(Task.FromResult(0));
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(Stream.Null));
+                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult(0));
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(Stream.Null));
                 var fakePackageService = new Mock<IPackageService>();
                 var commandLinePackage = new Package
                     {
@@ -1751,9 +1545,8 @@ public async Task WillExtractNuGetExe()
                 var controller = CreateController(
                     packageService: fakePackageService,
                     uploadFileService: fakeUploadFileService,
-                    fakeUser: TestUtility.FakePrincipal,
-                    userService: fakeUserService,
                     downloaderService: nugetExeDownloader);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 // Act
                 await controller.VerifyPackage(new VerifyPackageRequest() { Listed = false, Edit = null });
@@ -1766,9 +1559,6 @@ public async Task WillExtractNuGetExe()
             public async Task WillNotExtractNuGetExeIfIsNotLatestStable()
             {
                 // Arrange
-                var fakeCurrentUser = new User { Key = 42 };
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(fakeCurrentUser);
                 var fakeUploadFileService = new Mock<IUploadFileService>();
 
                 var fakePackageService = new Mock<IPackageService>();
@@ -1781,17 +1571,16 @@ public async Task WillNotExtractNuGetExeIfIsNotLatestStable()
 
                 fakePackageService.Setup(x => x.CreatePackage(It.IsAny<INupkg>(), It.IsAny<User>(), It.IsAny<bool>())).Returns(commandLinePackage);
 
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(
                     CreateTestPackageStream(commandLinePackage)));
-                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(42)).Returns(Task.FromResult(0));
+                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult(0));
 
                 var nugetExeDownloader = new Mock<INuGetExeDownloaderService>(MockBehavior.Strict);
                 var controller = CreateController(
                     packageService: fakePackageService,
                     uploadFileService: fakeUploadFileService,
-                    fakeUser: TestUtility.FakePrincipal,
-                    userService: fakeUserService,
                     downloaderService: nugetExeDownloader);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 // Act
                 await controller.VerifyPackage(new VerifyPackageRequest() { Listed = false, Edit = null });
@@ -1807,29 +1596,25 @@ public async Task WillNotExtractNuGetExeIfIsNotLatestStable()
             public async Task WillNotExtractNuGetExeIfIsItDoesNotMatchId(string id)
             {
                 // Arrange
-                var fakeCurrentUser = new User { Key = 42 };
-                var fakeUserService = new Mock<IUserService>();
-                fakeUserService.Setup(x => x.FindByUsername(It.IsAny<string>())).Returns(fakeCurrentUser);
                 var fakeUploadFileService = new Mock<IUploadFileService>();
 
                 var fakePackageService = new Mock<IPackageService>();
                 var commandLinePackage = new Package { PackageRegistration = new PackageRegistration { Id = id }, Version = "2.0.0", IsLatestStable = true };
 
-                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(42)).Returns(Task.FromResult<Stream>(
+                fakeUploadFileService.Setup(x => x.GetUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult<Stream>(
                     CreateTestPackageStream(commandLinePackage)));
-                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(42)).Returns(Task.FromResult(0));
+                fakeUploadFileService.Setup(x => x.DeleteUploadFileAsync(TestUtility.FakeUser.Key)).Returns(Task.FromResult(0));
 
                 fakePackageService.Setup(x => x.CreatePackage(It.IsAny<INupkg>(), It.IsAny<User>(), It.IsAny<bool>())).Returns(commandLinePackage);
                 var nugetExeDownloader = new Mock<INuGetExeDownloaderService>(MockBehavior.Strict);
                 var controller = CreateController(
                     packageService: fakePackageService,
                     uploadFileService: fakeUploadFileService,
-                    fakeUser: TestUtility.FakePrincipal,
-                    userService: fakeUserService,
                     downloaderService: nugetExeDownloader);
+                TestUtility.SetupUrlHelperForUrlGeneration(controller, new Uri("http://1.1.1.1"));
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 // Act
-                TestUtility.SetupUrlHelperForUrlGeneration(controller, new Uri("http://1.1.1.1"));
                 await controller.VerifyPackage(new VerifyPackageRequest() { Listed = false, Edit = null });
 
                 // Assert
@@ -1872,7 +1657,8 @@ public void WillReturnHttpNotFoundForUnknownUser()
                 var cacheService = new Mock<ICacheService>(MockBehavior.Strict);
                 cacheService.Setup(c => c.GetItem(FakeUploadName)).Returns(null);
 
-                var controller = CreateController(fakeUser: TestUtility.FakePrincipal, cacheService: cacheService);
+                var controller = CreateController(cacheService: cacheService);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 // Act
                 var result = controller.UploadPackageProgress();
@@ -1888,7 +1674,8 @@ public void WillReturnCorrectResultForKnownUser()
                 cacheService.Setup(c => c.GetItem(FakeUploadName))
                             .Returns(new AsyncFileUploadProgress(100) { FileName = "haha", TotalBytesRead = 80 });
 
-                var controller = CreateController(fakeUser: TestUtility.FakePrincipal, cacheService: cacheService);
+                var controller = CreateController(cacheService: cacheService);
+                controller.SetCurrentUser(TestUtility.FakeUser);
 
                 // Act
                 var result = controller.UploadPackageProgress() as JsonResult;
@@ -1930,6 +1717,7 @@ public void IndexingAndPackageServicesAreUpdated()
                 var indexingService = new Mock<IIndexingService>();
 
                 var controller = CreateController(packageService: packageService, httpContext: httpContext, indexingService: indexingService);
+                controller.SetCurrentUser("Smeagol");
                 controller.Url = new UrlHelper(new RequestContext(), new RouteCollection());
 
                 // Act
diff --git a/tests/NuGetGallery.Facts/Controllers/UsersControllerFacts.cs b/tests/NuGetGallery.Facts/Controllers/UsersControllerFacts.cs
index c8c274da68..0ce698396c 100644
--- a/tests/NuGetGallery.Facts/Controllers/UsersControllerFacts.cs
+++ b/tests/NuGetGallery.Facts/Controllers/UsersControllerFacts.cs
@@ -6,6 +6,7 @@
 using System.Web;
 using System.Web.Mvc;
 using Moq;
+using NuGetGallery.Authentication;
 using NuGetGallery.Configuration;
 using NuGetGallery.Framework;
 using Xunit;
@@ -16,32 +17,11 @@ public class UsersControllerFacts
     {
         public class TheAccountAction : TestContainer
         {
-            [Fact]
-            public void WillGetTheCurrentUserUsingTheRequestIdentityName()
-            {
-                var controller = GetController<UsersController>();
-                var user = new User { Username = "theUsername" };
-                controller.SetUser(user);
-                GetMock<IUserService>()
-                          .Setup(s => s.FindByUsername(It.IsAny<string>()))
-                          .Returns(user);
-
-                //act
-                controller.Account();
-
-                // verify
-                GetMock<IUserService>()
-                          .Verify(stub => stub.FindByUsername("theUsername"));
-            }
-
             [Fact]
             public void WillGetCuratedFeedsManagedByTheCurrentUser()
             {
                 var controller = GetController<UsersController>();
-                controller.SetUser("user");
-                GetMock<IUserService>()
-                          .Setup(s => s.FindByUsername("user"))
-                          .Returns(new User { Key = 42 });
+                controller.SetCurrentUser(new User { Key = 42 });
 
                 // act
                 controller.Account();
@@ -55,11 +35,8 @@ public void WillGetCuratedFeedsManagedByTheCurrentUser()
             public void WillReturnTheAccountViewModelWithTheUserApiKey()
             {
                 var controller = GetController<UsersController>();
-                controller.SetUser("user");
                 var stubApiKey = Guid.NewGuid();
-                GetMock<IUserService>()
-                    .Setup(s => s.FindByUsername("user"))
-                    .Returns(new User { Key = 42, ApiKey = stubApiKey });
+                controller.SetCurrentUser(new User { Key = 42, ApiKey = stubApiKey });
 
                 // act
                 var model = ResultAssert.IsView<AccountViewModel>(controller.Account());
@@ -72,10 +49,7 @@ public void WillReturnTheAccountViewModelWithTheUserApiKey()
             public void WillReturnTheAccountViewModelWithTheCuratedFeeds()
             {
                 var controller = GetController<UsersController>();
-                controller.SetUser("user");
-                GetMock<IUserService>()
-                    .Setup(s => s.FindByUsername("user"))
-                    .Returns(new User { Key = 42 });
+                controller.SetCurrentUser(new User { Key = 42 });
                 GetMock<ICuratedFeedService>()
                     .Setup(stub => stub.GetFeedsForManager(42))
                     .Returns(new[] { new CuratedFeed { Name = "theCuratedFeed" } });
@@ -92,17 +66,14 @@ public void WillUseApiKeyInColumnIfNoCredentialPresent()
             {
                 var apiKey = Guid.NewGuid();
                 var controller = GetController<UsersController>();
-                controller.SetUser("user");
-                GetMock<IUserService>()
-                    .Setup(s => s.FindByUsername("user"))
-                    .Returns(new User { Key = 42, ApiKey = apiKey });
+                controller.SetCurrentUser(new User { Key = 42, ApiKey = apiKey });
                 GetMock<ICuratedFeedService>()
                     .Setup(stub => stub.GetFeedsForManager(42))
                     .Returns(new[] { new CuratedFeed { Name = "theCuratedFeed" } });
 
                 // act
                 var result = controller.Account();
-                
+
                 // verify
                 var model = ResultAssert.IsView<AccountViewModel>(result);
                 Assert.Equal(apiKey.ToString().ToLowerInvariant(), model.ApiKey);
@@ -113,24 +84,21 @@ public void WillUseApiKeyInCredentialIfPresent()
             {
                 var apiKey = Guid.NewGuid();
                 var controller = GetController<UsersController>();
-                controller.SetUser("user");
-                GetMock<IUserService>()
-                    .Setup(s => s.FindByUsername("user"))
-                    .Returns(new User
-                    {
-                        Key = 42,
-                        ApiKey = Guid.NewGuid(),
-                        Credentials = new List<Credential>() {
-                            CredentialBuilder.CreateV1ApiKey(apiKey)
-                        }
-                    });
+                controller.SetCurrentUser(new User
+                {
+                    Key = 42,
+                    ApiKey = Guid.NewGuid(),
+                    Credentials = new List<Credential>() {
+                        CredentialBuilder.CreateV1ApiKey(apiKey)
+                    }
+                });
                 GetMock<ICuratedFeedService>()
                     .Setup(stub => stub.GetFeedsForManager(42))
                     .Returns(new[] { new CuratedFeed { Name = "theCuratedFeed" } });
 
                 // act
                 var result = controller.Account();
-                
+
                 // verify
                 var model = ResultAssert.IsView<AccountViewModel>(result);
                 Assert.Equal(apiKey.ToString().ToLowerInvariant(), model.ApiKey);
@@ -149,13 +117,9 @@ public void UpdatesEmailAllowedSetting()
                 };
 
                 var controller = GetController<UsersController>();
-                controller.SetUser(user);
-                GetMock<IUserService>()
-                          .Setup(u => u.FindByUsername(It.IsAny<string>()))
-                          .Returns(user);
+                controller.SetCurrentUser(user);
                 GetMock<IUserService>()
                           .Setup(u => u.UpdateProfile(user, false));
-                controller.SetUser(user);
                 var model = new EditProfileViewModel { EmailAddress = "test@example.com", EmailAllowed = false };
 
                 var result = controller.Edit(model);
@@ -173,20 +137,20 @@ public void SendsEmailWithPasswordResetUrl()
             {
                 const string resetUrl = "https://nuget.local/account/ResetPassword/somebody/confirmation";
                 var user = new User("somebody")
-                    {
-                        EmailAddress = "some@example.com",
-                        PasswordResetToken = "confirmation",
-                        PasswordResetTokenExpirationDate = DateTime.UtcNow.AddDays(1)
-                    };
-                var controller = GetController<UsersController>();
+                {
+                    EmailAddress = "some@example.com",
+                    PasswordResetToken = "confirmation",
+                    PasswordResetTokenExpirationDate = DateTime.UtcNow.AddDays(1)
+                };
                 GetMock<IMessageService>()
                           .Setup(s => s.SendPasswordResetInstructions(user, resetUrl));
                 GetMock<IUserService>()
-                          .Setup(s => s.FindByEmailAddress(It.IsAny<string>()))
+                          .Setup(s => s.FindByEmailAddress("user"))
                           .Returns(user);
-                GetMock<IUserService>()
+                GetMock<AuthenticationService>()
                           .Setup(s => s.GeneratePasswordResetToken("user", 1440))
                           .Returns(user);
+                var controller = GetController<UsersController>();
                 var model = new ForgotPasswordViewModel { Email = "user" };
 
                 controller.ForgotPassword(model);
@@ -199,27 +163,28 @@ public void SendsEmailWithPasswordResetUrl()
             public void RedirectsAfterGeneratingToken()
             {
                 var user = new User { EmailAddress = "some@example.com", Username = "somebody" };
-                var controller = GetController<UsersController>();
-                GetMock<IUserService>()
+                GetMock<AuthenticationService>()
                           .Setup(s => s.GeneratePasswordResetToken("user", 1440))
                           .Returns(user)
                           .Verifiable();
+                var controller = GetController<UsersController>();
+
                 var model = new ForgotPasswordViewModel { Email = "user" };
 
                 var result = controller.ForgotPassword(model) as RedirectToRouteResult;
 
                 Assert.NotNull(result);
-                GetMock<IUserService>()
+                GetMock<AuthenticationService>()
                           .Verify(s => s.GeneratePasswordResetToken("user", 1440));
             }
 
             [Fact]
             public void ReturnsSameViewIfTokenGenerationFails()
             {
-                var controller = GetController<UsersController>();
-                GetMock<IUserService>()
+                GetMock<AuthenticationService>()
                           .Setup(s => s.GeneratePasswordResetToken("user", 1440))
                           .Returns((User)null);
+                var controller = GetController<UsersController>();
 
                 var model = new ForgotPasswordViewModel { Email = "user" };
 
@@ -235,12 +200,10 @@ public class TheGenerateApiKeyMethod : TestContainer
             [Fact]
             public void RedirectsToAccountPage()
             {
-                var controller = GetController<UsersController>();
                 var user = new User { Username = "the-username" };
-                controller.SetUser(user);
-                GetMock<IUserService>()
-                    .Setup(u => u.FindByUsername(It.IsAny<string>()))
-                    .Returns(user);
+                var controller = GetController<UsersController>();
+                controller.SetCurrentUser(user);
+                
                 var result = controller.GenerateApiKey();
 
                 ResultAssert.IsRedirectToRoute(result, new { action = "Account", controller = "Users" });
@@ -249,17 +212,14 @@ public void RedirectsToAccountPage()
             [Fact]
             public void PutsNewCredentialInOldField()
             {
-                var controller = GetController<UsersController>();
                 var user = new User("the-username") { ApiKey = Guid.NewGuid() };
-                controller.SetUser(user);
-                GetMock<IUserService>()
-                    .Setup(u => u.FindByUsername("the-username"))
-                    .Returns(user);
                 Credential created = null;
-                GetMock<IUserService>()
+                GetMock<AuthenticationService>()
                     .Setup(u => u.ReplaceCredential(user, It.IsAny<Credential>()))
                     .Callback<User, Credential>((_, c) => created = c);
-
+                var controller = GetController<UsersController>();
+                controller.SetCurrentUser(user);
+                
                 GetMock<IUserService>()
                     .Setup(u => u.FindByUsername(It.IsAny<string>()))
                     .Returns(user);
@@ -272,19 +232,18 @@ public void PutsNewCredentialInOldField()
             [Fact]
             public void ReplacesTheApiKeyCredential()
             {
-                var controller = GetController<UsersController>();
                 var user = new User("the-username") { ApiKey = Guid.NewGuid() };
-                controller.SetUser(user);
-                GetMock<IUserService>()
-                    .Setup(u => u.FindByUsername("the-username"))
-                    .Returns(user);
-
+                GetMock<AuthenticationService>()
+                    .Setup(u => u.ReplaceCredential(
+                        user,
+                        It.Is<Credential>(c => c.Type == CredentialTypes.ApiKeyV1)))
+                    .Verifiable();
+                var controller = GetController<UsersController>();
+                controller.SetCurrentUser(user);
+                
                 controller.GenerateApiKey();
 
-                GetMock<IUserService>()
-                    .Verify(u => u.ReplaceCredential(
-                        user,
-                        It.Is<Credential>(c => c.Type == CredentialTypes.ApiKeyV1)));
+                GetMock<AuthenticationService>().VerifyAll();
             }
         }
 
@@ -300,15 +259,15 @@ public void DoesNotLetYouUseSomeoneElsesConfirmedEmailAddress()
                     Key = 1,
                 };
 
-                var controller = GetController<UsersController>();
-                controller.SetUser(user);
-                GetMock<IUserService>()
-                    .Setup(u => u.FindByUsernameAndPassword(It.IsAny<string>(), It.IsAny<string>()))
-                    .Returns(user);
+                GetMock<AuthenticationService>()
+                    .Setup(u => u.Authenticate(It.IsAny<string>(), It.IsAny<string>()))
+                    .Returns(new AuthenticatedUser(user, new Credential()));
                 GetMock<IUserService>()
                     .Setup(u => u.ChangeEmailAddress(user, "new@example.com"))
                     .Throws(new EntityException("msg"));
-
+                var controller = GetController<UsersController>();
+                controller.SetCurrentUser(user);
+                
                 var result = controller.ChangeEmail(new ChangeEmailRequestModel { NewEmail = "new@example.com" });
                 Assert.False(controller.ModelState.IsValid);
                 Assert.Equal("msg", controller.ModelState["NewEmail"].Errors[0].ErrorMessage);
@@ -324,16 +283,16 @@ public void SendsEmailChangeConfirmationNoticeWhenChangingAConfirmedEmailAddress
                     EmailAllowed = true
                 };
 
-                var controller = GetController<UsersController>();
-                controller.SetUser(user);
-
-                GetMock<IUserService>()
-                    .Setup(u => u.FindByUsernameAndPassword(It.IsAny<string>(), It.IsAny<string>()))
-                    .Returns(user);
+                GetMock<AuthenticationService>()
+                    .Setup(u => u.Authenticate("theUsername", "password"))
+                    .Returns(new AuthenticatedUser(user, new Credential()));
                 GetMock<IUserService>()
                     .Setup(u => u.ChangeEmailAddress(user, "new@example.com"))
                     .Callback(() => user.UpdateEmailAddress("new@example.com", () => "token"));
-                var model = new ChangeEmailRequestModel { NewEmail = "new@example.com" };
+                var controller = GetController<UsersController>();
+                controller.SetCurrentUser(user);
+                
+                var model = new ChangeEmailRequestModel { NewEmail = "new@example.com", Password = "password" };
 
                 var result = controller.ChangeEmail(model);
 
@@ -350,16 +309,16 @@ public void DoesNotSendEmailChangeConfirmationNoticeWhenAddressDoesntChange()
                     Username = "aUsername",
                 };
 
-                var controller = GetController<UsersController>();
-                controller.SetUser(user);
-                GetMock<IUserService>()
-                          .Setup(u => u.FindByUsernameAndPassword(It.IsAny<string>(), It.IsAny<string>()))
-                          .Returns(user);
+                GetMock<AuthenticationService>()
+                          .Setup(u => u.Authenticate("aUsername", "password"))
+                          .Returns(new AuthenticatedUser(user, new Credential()));
                 GetMock<IUserService>()
                           .Setup(u => u.ChangeEmailAddress(It.IsAny<User>(), It.IsAny<string>()))
                           .Callback(() => user.UpdateEmailAddress("old@example.com", () => "new-token"));
+                var controller = GetController<UsersController>();
+                controller.SetCurrentUser(user);
 
-                var model = new ChangeEmailRequestModel { NewEmail = "old@example.com" };
+                var model = new ChangeEmailRequestModel { NewEmail = "old@example.com", Password = "password" };
 
                 controller.ChangeEmail(model);
 
@@ -378,15 +337,16 @@ public void DoesNotSendEmailChangeConfirmationNoticeWhenUserWasNotConfirmed()
                     UnconfirmedEmailAddress = "old@example.com",
                 };
 
-                var controller = GetController<UsersController>();
-                controller.SetUser(user);
-                GetMock<IUserService>()
-                          .Setup(u => u.FindByUsernameAndPassword(It.IsAny<string>(), It.IsAny<string>()))
-                          .Returns(user);
+                GetMock<AuthenticationService>()
+                          .Setup(u => u.Authenticate("aUsername", "password"))
+                          .Returns(new AuthenticatedUser(user, new Credential()));
                 GetMock<IUserService>()
                           .Setup(u => u.ChangeEmailAddress(It.IsAny<User>(), It.IsAny<string>()))
                           .Callback(() => user.UpdateEmailAddress("new@example.com", () => "new-token"));
-                var model = new ChangeEmailRequestModel{ NewEmail = "new@example.com" };
+                var controller = GetController<UsersController>();
+                controller.SetCurrentUser(user);
+
+                var model = new ChangeEmailRequestModel { NewEmail = "new@example.com", Password = "password" };
 
                 controller.ChangeEmail(model);
 
@@ -411,8 +371,7 @@ public void ConfirmsTheUser()
                 };
 
                 var controller = GetController<UsersController>();
-                controller.SetUser(user);
-                GetMock<IUserService>().Setup(u => u.FindByUsername("aUsername")).Returns(user);
+                controller.SetCurrentUser(user);
 
                 var result = controller.Confirm("aUsername", "aToken");
 
@@ -430,8 +389,7 @@ public void ShowsAnErrorForWrongUsername()
                 };
 
                 var controller = GetController<UsersController>();
-                controller.SetUser(user);
-                GetMock<IUserService>().Setup(u => u.FindByUsername("aUsername")).Returns(user);
+                controller.SetCurrentUser(user);
 
                 var result = controller.Confirm("wrongUsername", "aToken");
                 var model = (ConfirmationViewModel)((ViewResult)result).Model;
@@ -450,14 +408,11 @@ public void ShowsAnErrorForWrongToken()
                     EmailConfirmationToken = "aToken",
                 };
 
-                var controller = GetController<UsersController>();
-                controller.SetUser(user);
-                GetMock<IUserService>()
-                    .Setup(u => u.FindByUsername("aUsername"))
-                    .Returns(user);
                 GetMock<IUserService>()
                     .Setup(u => u.ConfirmEmailAddress(user, It.IsAny<string>()))
                     .Returns(false);
+                var controller = GetController<UsersController>();
+                controller.SetCurrentUser(user);
 
                 var result = controller.Confirm("aUsername", "wrongToken");
                 var model = (ConfirmationViewModel)((ViewResult)result).Model;
@@ -475,14 +430,11 @@ public void ShowsAnErrorForConflictingEmailAddress()
                     EmailConfirmationToken = "aToken",
                 };
 
-                var controller = GetController<UsersController>();
-                controller.SetUser(user);
-                GetMock<IUserService>()
-                    .Setup(u => u.FindByUsername("aUsername"))
-                    .Returns(user);
                 GetMock<IUserService>()
                     .Setup(u => u.ConfirmEmailAddress(user, It.IsAny<string>()))
                     .Throws(new EntityException("msg"));
+                var controller = GetController<UsersController>();
+                controller.SetCurrentUser(user);
 
                 var result = controller.Confirm("aUsername", "aToken");
                 var model = (ConfirmationViewModel)((ViewResult)result).Model;
@@ -501,18 +453,15 @@ public void SendsAccountChangedNoticeWhenConfirmingChangedEmail()
                     UnconfirmedEmailAddress = "new@example.com",
                     EmailConfirmationToken = "the-token"
                 };
-                var controller = GetController<UsersController>();
-                controller.SetUser(user);
 
-                GetMock<IUserService>()
-                          .Setup(u => u.FindByUsername("username"))
-                          .Returns(user);
                 GetMock<IUserService>()
                           .Setup(u => u.ConfirmEmailAddress(user, "the-token"))
                           .Returns(true);
+                var controller = GetController<UsersController>();
+                controller.SetCurrentUser(user);
 
                 var result = controller.Confirm("username", "the-token");
-                var model =  (ConfirmationViewModel)((ViewResult)result).Model;
+                var model = (ConfirmationViewModel)((ViewResult)result).Model;
 
                 Assert.True(model.SuccessfulConfirmation);
                 Assert.False(model.ConfirmingNewAccount);
@@ -530,14 +479,12 @@ public void DoesntSendAccountChangedEmailsWhenNoOldConfirmedAddress()
                     UnconfirmedEmailAddress = "new@example.com",
                     EmailConfirmationToken = "the-token"
                 };
-                var controller = GetController<UsersController>();
-                GetMock<IUserService>()
-                          .Setup(u => u.FindByUsername("username"))
-                          .Returns(user);
+
                 GetMock<IUserService>()
                           .Setup(u => u.ConfirmEmailAddress(user, "the-token"))
                           .Returns(true);
-                controller.SetUser(user);
+                var controller = GetController<UsersController>();
+                controller.SetCurrentUser(user);
 
                 // act:
                 var result = controller.Confirm("username", "the-token");
@@ -562,14 +509,12 @@ public void DoesntSendAccountChangedEmailsIfConfirmationTokenDoesntMatch()
                     UnconfirmedEmailAddress = "new@example.com",
                     EmailConfirmationToken = "the-token"
                 };
-                var controller = GetController<UsersController>();
-                controller.SetUser(user);
-                GetMock<IUserService>()
-                    .Setup(u => u.FindByUsername(It.IsAny<string>()))
-                    .Returns(user);
+
                 GetMock<IUserService>()
                     .Setup(u => u.ConfirmEmailAddress(user, "faketoken"))
                     .Returns(false);
+                var controller = GetController<UsersController>();
+                controller.SetCurrentUser(user);
 
                 // act:
                 var model = (controller.Confirm("username", "faketoken") as ViewResult).Model as ConfirmationViewModel;
@@ -599,15 +544,6 @@ public void WillSendNewUserEmailWhenPosted()
                 string sentConfirmationUrl = null;
                 MailAddress sentToAddress = null;
 
-                var controller = GetController<UsersController>();
-                controller.SetUser(user);
-
-                GetMock<IUserService>()
-                    .Setup(x => x.FindByUsername(It.IsAny<string>()))
-                    .Returns(user);
-                GetMock<IUserService>()
-                    .Setup(x => x.Create(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>()))
-                    .Returns(user);
                 GetMock<IMessageService>()
                     .Setup(m => m.SendNewAccountEmail(It.IsAny<MailAddress>(), It.IsAny<string>()))
                     .Callback<MailAddress, string>((to, url) =>
@@ -616,6 +552,9 @@ public void WillSendNewUserEmailWhenPosted()
                         sentConfirmationUrl = url;
                     });
 
+                var controller = GetController<UsersController>();
+                controller.SetCurrentUser(user);
+
                 controller.ConfirmationRequiredPost();
 
                 // We use a catch-all route for unit tests so we can see the parameters 
@@ -644,15 +583,16 @@ public void ReturnsViewIfModelStateInvalid()
             }
 
             [Fact]
-            public void AddsModelErrorIfUserServiceFails()
+            public void AddsModelErrorIfAuthServiceFails()
             {
                 // Arrange
-                var controller = GetController<UsersController>();
-                controller.SetUser("user");
-                GetMock<IUserService>()
+                GetMock<AuthenticationService>()
                     .Setup(u => u.ChangePassword("user", "old", "new"))
                     .Returns(false);
 
+                var controller = GetController<UsersController>();
+                controller.SetCurrentUser("user");
+
                 var inputModel = new PasswordChangeViewModel()
                 {
                     OldPassword = "old",
@@ -679,11 +619,11 @@ public void AddsModelErrorIfUserServiceFails()
             public void RedirectsToPasswordChangedIfUserServiceSucceeds()
             {
                 // Arrange
-                var controller = GetController<UsersController>();
-                controller.SetUser("user");
-                GetMock<IUserService>()
+                GetMock<AuthenticationService>()
                     .Setup(u => u.ChangePassword("user", "old", "new"))
                     .Returns(true);
+                var controller = GetController<UsersController>();
+                controller.SetCurrentUser("user");
                 var inputModel = new PasswordChangeViewModel()
                 {
                     OldPassword = "old",
@@ -708,10 +648,10 @@ public class TheResetPasswordMethod : TestContainer
             [Fact]
             public void ShowsErrorIfTokenExpired()
             {
-                var controller = GetController<UsersController>();
-                GetMock<IUserService>()
+                GetMock<AuthenticationService>()
                     .Setup(u => u.ResetPasswordWithToken("user", "token", "newpwd"))
                     .Returns(false);
+                var controller = GetController<UsersController>();
                 var model = new PasswordResetViewModel
                     {
                         ConfirmPassword = "pwd",
@@ -721,17 +661,17 @@ public void ShowsErrorIfTokenExpired()
                 controller.ResetPassword("user", "token", model);
 
                 Assert.Equal("The Password Reset Token is not valid or expired.", controller.ModelState[""].Errors[0].ErrorMessage);
-                GetMock<IUserService>()
+                GetMock<AuthenticationService>()
                           .Verify(u => u.ResetPasswordWithToken("user", "token", "newpwd"));
             }
 
             [Fact]
             public void ResetsPasswordForValidToken()
             {
-                var controller = GetController<UsersController>();
-                GetMock<IUserService>()
+                GetMock<AuthenticationService>()
                     .Setup(u => u.ResetPasswordWithToken("user", "token", "newpwd"))
                     .Returns(true);
+                var controller = GetController<UsersController>();
                 var model = new PasswordResetViewModel
                     {
                         ConfirmPassword = "pwd",
@@ -741,7 +681,7 @@ public void ResetsPasswordForValidToken()
                 var result = controller.ResetPassword("user", "token", model) as RedirectToRouteResult;
 
                 Assert.NotNull(result);
-                GetMock<IUserService>()
+                GetMock<AuthenticationService>()
                           .Verify(u => u.ResetPasswordWithToken("user", "token", "newpwd"));
             }
         }
@@ -751,10 +691,10 @@ public class TheThanksMethod : TestContainer
             [Fact]
             public void ShowsDefaultThanksView()
             {
-                var controller = GetController<UsersController>();
                 GetMock<IAppConfiguration>()
                     .Setup(x => x.ConfirmEmailAddresses)
                     .Returns(true);
+                var controller = GetController<UsersController>();
 
                 var result = controller.Thanks() as ViewResult;
 
@@ -765,10 +705,10 @@ public void ShowsDefaultThanksView()
             [Fact]
             public void ShowsConfirmViewWithModelWhenConfirmingEmailAddressIsNotRequired()
             {
-                var controller = GetController<UsersController>();
                 GetMock<IAppConfiguration>()
                     .Setup(x => x.ConfirmEmailAddresses)
                     .Returns(false);
+                var controller = GetController<UsersController>();
 
                 ResultAssert.IsView(controller.Thanks());
             }
diff --git a/tests/NuGetGallery.Facts/Filters/ApiKeyAuthorizeAttributeFacts.cs b/tests/NuGetGallery.Facts/Filters/ApiKeyAuthorizeAttributeFacts.cs
deleted file mode 100644
index 851074a3f7..0000000000
--- a/tests/NuGetGallery.Facts/Filters/ApiKeyAuthorizeAttributeFacts.cs
+++ /dev/null
@@ -1,134 +0,0 @@
-using System;
-using System.Web.Mvc;
-using System.Web.Routing;
-using Moq;
-using NuGetGallery.Framework;
-using Xunit;
-using Xunit.Extensions;
-
-namespace NuGetGallery.Filters
-{
-    public class ApiKeyAuthorizeAttributeFacts : TestContainer
-    {
-        [Fact]
-        public void UsesCredentialTableToFindUser()
-        {
-            ApiKeyAuthorizeAttribute attribute = CreateAttribute();
-            var apiKey = Guid.NewGuid();
-            var mockFilterContext = CreateActionFilterContext(apiKey.ToString());
-
-            GetMock<IUserService>()
-                .Setup(us => us.AuthenticateCredential(
-                    CredentialTypes.ApiKeyV1,
-                    apiKey.ToString().ToLowerInvariant()))
-                .Returns(new Credential() { User = Fakes.Owner });
-
-            // Act
-            attribute.OnActionExecuting(mockFilterContext.Object);
-
-            // Assert
-            Assert.Null(mockFilterContext.Object.Result);
-        }
-
-        [Fact]
-        public void UsesApiKeyColumnToFindUserIfNoRecordInCredentialTable()
-        {
-            ApiKeyAuthorizeAttribute attribute = CreateAttribute();
-            var apiKey = Guid.NewGuid();
-            var mockFilterContext = CreateActionFilterContext(apiKey.ToString());
-
-            GetMock<IUserService>()
-                .Setup(us => us.FindByApiKey(apiKey))
-                .Returns(Fakes.Owner);
-
-            // Act
-            attribute.OnActionExecuting(mockFilterContext.Object);
-
-            // Assert
-            Assert.Null(mockFilterContext.Object.Result);
-        }
-
-        [Theory]
-        [InlineData(null)]
-        [InlineData("")]
-        public void ApiKeyAuthorizeAttributeReturns400WhenApiKeyIsMissing(string value)
-        {
-            ApiKeyAuthorizeAttribute attribute = CreateAttribute();
-            
-            // Act
-            var result = attribute.CheckForResult(value);
-
-            // Assert
-            ResultAssert.IsStatusCode(result, 400, String.Format(Strings.InvalidApiKey, ""));
-        }
-
-        [Fact]
-        public void ApiKeyAuthorizeAttributeReturns400WhenApiKeyFormatIsInvalid()
-        {
-            ApiKeyAuthorizeAttribute attribute = CreateAttribute();
-            
-            // Act
-            var result = attribute.CheckForResult("invalid-key");
-
-            // Assert
-            ResultAssert.IsStatusCode(result, 400, String.Format(Strings.InvalidApiKey, "invalid-key"));
-        }
-
-        [Fact]
-        public void ApiKeyAuthorizeAttributeReturns403WhenApiKeyDoesNotBelongToAUser()
-        {
-            ApiKeyAuthorizeAttribute attribute = CreateAttribute();
-            string unknownApiKey = Guid.NewGuid().ToString();
-
-            // Act
-            var result = attribute.CheckForResult(unknownApiKey);
-
-            // Assert
-            ResultAssert.IsStatusCode(result, 403, String.Format(Strings.ApiKeyNotAuthorized, "push"));
-        }
-
-        [Fact]
-        public void ApiKeyAuthorizeAttributeReturns403WhenUserIsNotYetConfirmed()
-        {
-            ApiKeyAuthorizeAttribute attribute = CreateAttribute();
-            var user = new User
-            {
-                UnconfirmedEmailAddress = "unconfirmed@example.com",
-                ApiKey = Guid.NewGuid()
-            };
-
-            GetMock<IUserService>()
-                .Setup(us => us.FindByApiKey(user.ApiKey))
-                .Returns(user);
-
-            // Act
-            var result = attribute.CheckForResult(user.ApiKey.ToString());
-
-            // Assert
-            ResultAssert.IsStatusCode(result, 403, Strings.ApiKeyUserAccountIsUnconfirmed);
-        }
-
-        private static Mock<ActionExecutingContext> CreateActionFilterContext(string apiKey)
-        {
-            var mockFilterContext = new Mock<ActionExecutingContext>();
-            var mockController = new Mock<Controller>();
-
-            mockFilterContext.Setup(ctx => ctx.Controller).Returns(mockController.Object);
-            mockController.Object.ControllerContext = new ControllerContext
-            {
-                RouteData = new RouteData
-                {
-                    Values = { { "apiKey", apiKey } }
-                }
-            };
-            return mockFilterContext;
-        }
-
-        private ApiKeyAuthorizeAttribute CreateAttribute()
-        {
-            ApiKeyAuthorizeAttribute attribute = Get<ApiKeyAuthorizeAttribute>();
-            attribute.UserService = Get<IUserService>();
-            return attribute;
-        }
-    }
-}
\ No newline at end of file
diff --git a/tests/NuGetGallery.Facts/Filters/RequireRemoteHttpsAttributeFacts.cs b/tests/NuGetGallery.Facts/Filters/RequireRemoteHttpsAttributeFacts.cs
deleted file mode 100644
index 3e645b8dc0..0000000000
--- a/tests/NuGetGallery.Facts/Filters/RequireRemoteHttpsAttributeFacts.cs
+++ /dev/null
@@ -1,193 +0,0 @@
-using System;
-using System.Web.Mvc;
-using Moq;
-using NuGetGallery.Configuration;
-using Xunit;
-using Xunit.Extensions;
-
-namespace NuGetGallery.Filters
-{
-    public class RequireRemoteHttpsAttributeFacts
-    {
-        [Fact]
-        public void RequireHttpsAttributeDoesNotThrowWhenRequireSSLIsFalse()
-        {
-            // Arrange
-            var mockAuthContext = new Mock<AuthorizationContext>(MockBehavior.Strict);
-            var mockConfig = new Mock<IAppConfiguration>();
-            var mockFormsAuth = new Mock<IFormsAuthenticationService>();
-            mockConfig.Setup(cfg => cfg.RequireSSL).Returns(false);
-            mockAuthContext.SetupGet(c => c.HttpContext.Request.IsSecureConnection).Returns(false);
-            var context = mockAuthContext.Object;
-
-            mockFormsAuth.Setup(fas => fas.ShouldForceSSL(context.HttpContext)).Returns(true);
-
-            var attribute = new RequireRemoteHttpsAttribute() { Configuration = mockConfig.Object, FormsAuthentication = mockFormsAuth.Object };
-            var result = new ViewResult();
-            context.Result = result;
-
-            // Act
-            attribute.OnAuthorization(context);
-
-            // Assert
-            Assert.Same(result, context.Result);
-        }
-
-        [Fact]
-        public void RequireHttpsAttributeDoesNotThrowForSecureConnection()
-        {
-            // Arrange
-            var mockAuthContext = new Mock<AuthorizationContext>(MockBehavior.Strict);
-            var mockConfig = new Mock<IAppConfiguration>();
-            var mockFormsAuth = new Mock<IFormsAuthenticationService>();
-            mockConfig.Setup(cfg => cfg.RequireSSL).Returns(true);
-            mockAuthContext.SetupGet(c => c.HttpContext.Request.IsSecureConnection).Returns(true);
-            var context = mockAuthContext.Object;
-            mockFormsAuth.Setup(fas => fas.ShouldForceSSL(context.HttpContext)).Returns(true);
-            var attribute = new RequireRemoteHttpsAttribute() { Configuration = mockConfig.Object, FormsAuthentication = mockFormsAuth.Object };
-            var result = new ViewResult();
-            context.Result = result;
-
-            // Act
-            attribute.OnAuthorization(context);
-
-            // Assert
-            Assert.Same(result, context.Result);
-        }
-
-        [Fact]
-        public void RequireHttpsAttributeDoesNotThrowForInsecureConnectionIfNotAuthenticatedOrForcingSSLAndOnlyWhenAuthenticatedSet()
-        {
-            // Arrange
-            var mockAuthContext = new Mock<AuthorizationContext>(MockBehavior.Strict);
-            var mockConfig = new Mock<IAppConfiguration>();
-            var mockFormsAuth = new Mock<IFormsAuthenticationService>();
-            mockConfig.Setup(cfg => cfg.RequireSSL).Returns(true);
-            mockAuthContext.SetupGet(c => c.HttpContext.Request.IsSecureConnection).Returns(false);
-            mockAuthContext.SetupGet(c => c.HttpContext.Request.IsAuthenticated).Returns(false);
-            var context = mockAuthContext.Object;
-            mockFormsAuth.Setup(fas => fas.ShouldForceSSL(context.HttpContext)).Returns(false);
-            var attribute = new RequireRemoteHttpsAttribute()
-            {
-                Configuration = mockConfig.Object,
-                OnlyWhenAuthenticated = true,
-                FormsAuthentication = mockFormsAuth.Object
-            };
-            var result = new ViewResult();
-            context.Result = result;
-
-            // Act
-            attribute.OnAuthorization(context);
-
-            // Assert
-            Assert.Same(result, context.Result);
-        }
-
-        [Theory]
-        [InlineData(true, false, false, 443, "{0}")]            // Authenticated, always force SSL for this action
-        [InlineData(false, false, false, 443, "{0}")]           // Not Authenticated, always force SSL for this action
-        [InlineData(true, false, true, 443, "{0}")]             // Authenticated, only force SSL if already authenticated
-        [InlineData(false, true, true, 443, "{0}")]             // Authenticated, should be authenticated, force SSL
-        [InlineData(true, false, false, 44300, "{0}:44300")]    // Non-standard Port, Authenticated, always force SSL for this action
-        [InlineData(false, false, false, 44300, "{0}:44300")]   // Non-standard Port, Not Authenticated, always force SSL for this action
-        [InlineData(true, false, true, 44300, "{0}:44300")]     // Non-standard Port, Authenticated, only force SSL if already authenticated
-        [InlineData(false, true, true, 44300, "{0}:44300")]     // Non-standard Port, Authenticated, should be authenticated, force SSL
-        public void RequireHttpsAttributeRedirectsGetRequest(bool isAuthenticated, bool forceSSL, bool onlyWhenAuthenticated, int port, string hostFormatter)
-        {
-            // Arrange
-            var mockAuthContext = new Mock<AuthorizationContext>(MockBehavior.Strict);
-            var mockConfig = new Mock<IAppConfiguration>();
-            var mockFormsAuth = new Mock<IFormsAuthenticationService>();
-
-            mockAuthContext.SetupGet(c => c.HttpContext.Request.HttpMethod).Returns("get");
-            mockAuthContext.SetupGet(c => c.HttpContext.Request.Url).Returns(new Uri("http://test.nuget.org/login"));
-            mockAuthContext.SetupGet(c => c.HttpContext.Request.RawUrl).Returns("/login");
-            mockAuthContext.SetupGet(c => c.HttpContext.Request.IsSecureConnection).Returns(false);
-            mockAuthContext.SetupGet(c => c.HttpContext.Request.IsAuthenticated).Returns(isAuthenticated);
-
-            mockConfig.Setup(cfg => cfg.RequireSSL).Returns(true);
-            mockConfig.Setup(cfg => cfg.SSLPort).Returns(port);
-            
-            var context = mockAuthContext.Object;
-            mockFormsAuth.Setup(fas => fas.ShouldForceSSL(context.HttpContext)).Returns(forceSSL);
-
-            var attribute = new RequireRemoteHttpsAttribute()
-            {
-                Configuration = mockConfig.Object,
-                OnlyWhenAuthenticated = onlyWhenAuthenticated,
-                FormsAuthentication = mockFormsAuth.Object
-            };
-            var result = new ViewResult();
-            context.Result = result;
-
-            // Act
-            attribute.OnAuthorization(context);
-
-            // Assert
-            Assert.IsType<RedirectResult>(context.Result);
-            Assert.Equal("https://" + String.Format(hostFormatter, "test.nuget.org") + "/login", ((RedirectResult)context.Result).Url);
-        }
-
-        
-        // Each set permutes HTTP Methods for the same parameters as the test above
-        [Theory]
-        [InlineData("POST", true, false, false)]
-        [InlineData("DELETE", true, false, false)]
-        [InlineData("PUT", true, false, false)]
-        [InlineData("HEAD", true, false, false)]
-        [InlineData("TRACE", true, false, false)]
-
-        [InlineData("POST", false, false, false)]
-        [InlineData("DELETE", false, false, false)]
-        [InlineData("PUT", false, false, false)]
-        [InlineData("HEAD", false, false, false)]
-        [InlineData("TRACE", false, false, false)]
-
-        [InlineData("POST", true, false, true)]
-        [InlineData("DELETE", true, false, true)]
-        [InlineData("PUT", true, false, true)]
-        [InlineData("HEAD", true, false, true)]
-        [InlineData("TRACE", true, false, true)]
-
-        [InlineData("POST", false, true, true)]
-        [InlineData("DELETE", false, true, true)]
-        [InlineData("PUT", false, true, true)]
-        [InlineData("HEAD", false, true, true)]
-        [InlineData("TRACE", false, true, true)]
-        public void RequireHttpsAttributeReturns403IfNonGetRequest(string method, bool isAuthenticated, bool forceSSL, bool onlyWhenAuthenticated)
-        {
-            // Arrange
-            var mockAuthContext = new Mock<AuthorizationContext>(MockBehavior.Strict);
-            var mockConfig = new Mock<IAppConfiguration>();
-            var mockFormsAuth = new Mock<IFormsAuthenticationService>();
-
-            mockAuthContext.SetupGet(c => c.HttpContext.Request.IsLocal).Returns(false);
-            mockAuthContext.SetupGet(c => c.HttpContext.Request.HttpMethod).Returns(method);
-            mockAuthContext.SetupGet(c => c.HttpContext.Request.Url).Returns(new Uri("http://test.nuget.org/api/create"));
-            mockAuthContext.SetupGet(c => c.HttpContext.Request.RawUrl).Returns("/api/create");
-            mockAuthContext.SetupGet(c => c.HttpContext.Request.IsSecureConnection).Returns(false);
-            mockAuthContext.SetupGet(c => c.HttpContext.Request.IsAuthenticated).Returns(isAuthenticated);
-
-            mockConfig.Setup(cfg => cfg.RequireSSL).Returns(true);
-            var context = mockAuthContext.Object;
-
-            mockFormsAuth.Setup(fas => fas.ShouldForceSSL(context.HttpContext)).Returns(forceSSL);
-
-            var attribute = new RequireRemoteHttpsAttribute()
-            {
-                Configuration = mockConfig.Object,
-                OnlyWhenAuthenticated = onlyWhenAuthenticated,
-                FormsAuthentication = mockFormsAuth.Object
-            };
-
-            // Act 
-            attribute.OnAuthorization(context);
-
-            // Assert
-            Assert.IsType<HttpStatusCodeWithBodyResult>(context.Result);
-            var result = (HttpStatusCodeWithBodyResult)context.Result;
-            Assert.Equal(403, result.StatusCode);
-            Assert.Equal("The requested resource can only be accessed via SSL.", result.StatusDescription);
-        }
-    }
-}
\ No newline at end of file
diff --git a/tests/NuGetGallery.Facts/Filters/RequireSslAttributeFacts.cs b/tests/NuGetGallery.Facts/Filters/RequireSslAttributeFacts.cs
new file mode 100644
index 0000000000..33bbfdf60f
--- /dev/null
+++ b/tests/NuGetGallery.Facts/Filters/RequireSslAttributeFacts.cs
@@ -0,0 +1,126 @@
+using System;
+using System.Web.Mvc;
+using Moq;
+using NuGetGallery.Configuration;
+using Xunit;
+using Xunit.Extensions;
+
+namespace NuGetGallery.Filters
+{
+    public class RequireSslAttributeFacts
+    {
+        [Fact]
+        public void RequireHttpsAttributeDoesNotThrowWhenRequireSSLIsFalse()
+        {
+            // Arrange
+            var mockAuthContext = new Mock<AuthorizationContext>(MockBehavior.Strict);
+            var mockConfig = new Mock<IAppConfiguration>();
+            mockConfig.Setup(cfg => cfg.RequireSSL).Returns(false);
+            mockAuthContext.SetupGet(c => c.HttpContext.Request.IsSecureConnection).Returns(false);
+            var context = mockAuthContext.Object;
+
+            var attribute = new RequireSslAttribute() { Configuration = mockConfig.Object };
+            var result = new ViewResult();
+            context.Result = result;
+
+            // Act
+            attribute.OnAuthorization(context);
+
+            // Assert
+            Assert.Same(result, context.Result);
+        }
+
+        [Fact]
+        public void RequireHttpsAttributeDoesNotThrowForSecureConnection()
+        {
+            // Arrange
+            var mockAuthContext = new Mock<AuthorizationContext>(MockBehavior.Strict);
+            var mockConfig = new Mock<IAppConfiguration>();
+            mockConfig.Setup(cfg => cfg.RequireSSL).Returns(true);
+            mockAuthContext.SetupGet(c => c.HttpContext.Request.IsSecureConnection).Returns(true);
+            var context = mockAuthContext.Object;
+            var attribute = new RequireSslAttribute() { Configuration = mockConfig.Object };
+            var result = new ViewResult();
+            context.Result = result;
+
+            // Act
+            attribute.OnAuthorization(context);
+
+            // Assert
+            Assert.Same(result, context.Result);
+        }
+
+        [Theory]
+        [InlineData(443, "{0}")]            // Authenticated, always force SSL for this action
+        [InlineData(44300, "{0}:44300")]    // Non-standard Port, Authenticated, always force SSL for this action
+        public void RequireHttpsAttributeRedirectsGetRequest(int port, string hostFormatter)
+        {
+            // Arrange
+            var mockAuthContext = new Mock<AuthorizationContext>(MockBehavior.Strict);
+            var mockConfig = new Mock<IAppConfiguration>();
+            var mockFormsAuth = new Mock<IFormsAuthenticationService>();
+
+            mockAuthContext.SetupGet(c => c.HttpContext.Request.HttpMethod).Returns("get");
+            mockAuthContext.SetupGet(c => c.HttpContext.Request.Url).Returns(new Uri("http://test.nuget.org/login"));
+            mockAuthContext.SetupGet(c => c.HttpContext.Request.RawUrl).Returns("/login");
+            mockAuthContext.SetupGet(c => c.HttpContext.Request.IsSecureConnection).Returns(false);
+
+            mockConfig.Setup(cfg => cfg.RequireSSL).Returns(true);
+            mockConfig.Setup(cfg => cfg.SSLPort).Returns(port);
+            
+            var attribute = new RequireSslAttribute()
+            {
+                Configuration = mockConfig.Object
+            };
+
+            var result = new ViewResult();
+            var context = mockAuthContext.Object;
+            
+            // Act
+            attribute.OnAuthorization(context);
+
+            // Assert
+            Assert.IsType<RedirectResult>(context.Result);
+            Assert.Equal("https://" + String.Format(hostFormatter, "test.nuget.org") + "/login", ((RedirectResult)context.Result).Url);
+        }
+
+        
+        // Each set permutes HTTP Methods for the same parameters as the test above
+        [Theory]
+        [InlineData("POST")]
+        [InlineData("DELETE")]
+        [InlineData("PUT")]
+        [InlineData("HEAD")]
+        [InlineData("TRACE")]
+        public void RequireHttpsAttributeReturns403IfNonGetRequest(string method)
+        {
+            // Arrange
+            var mockAuthContext = new Mock<AuthorizationContext>(MockBehavior.Strict);
+            var mockConfig = new Mock<IAppConfiguration>();
+            var mockFormsAuth = new Mock<IFormsAuthenticationService>();
+
+            mockAuthContext.SetupGet(c => c.HttpContext.Request.IsLocal).Returns(false);
+            mockAuthContext.SetupGet(c => c.HttpContext.Request.HttpMethod).Returns(method);
+            mockAuthContext.SetupGet(c => c.HttpContext.Request.Url).Returns(new Uri("http://test.nuget.org/api/create"));
+            mockAuthContext.SetupGet(c => c.HttpContext.Request.RawUrl).Returns("/api/create");
+            mockAuthContext.SetupGet(c => c.HttpContext.Request.IsSecureConnection).Returns(false);
+
+            mockConfig.Setup(cfg => cfg.RequireSSL).Returns(true);
+            var context = mockAuthContext.Object;
+
+            var attribute = new RequireSslAttribute()
+            {
+                Configuration = mockConfig.Object
+            };
+
+            // Act 
+            attribute.OnAuthorization(context);
+
+            // Assert
+            Assert.IsType<HttpStatusCodeWithBodyResult>(context.Result);
+            var result = (HttpStatusCodeWithBodyResult)context.Result;
+            Assert.Equal(403, result.StatusCode);
+            Assert.Equal("The requested resource can only be accessed via SSL.", result.StatusDescription);
+        }
+    }
+}
\ No newline at end of file
diff --git a/tests/NuGetGallery.Facts/Framework/Fakes.cs b/tests/NuGetGallery.Facts/Framework/Fakes.cs
index 9612d12662..494b203f40 100644
--- a/tests/NuGetGallery.Facts/Framework/Fakes.cs
+++ b/tests/NuGetGallery.Facts/Framework/Fakes.cs
@@ -1,14 +1,51 @@
-using System.Collections.Generic;
+using System;
+using System.Collections.Generic;
 using System.Linq;
+using System.Reflection;
+using System.Security.Claims;
 using System.Security.Principal;
+using Microsoft.Owin;
+using Microsoft.Owin.Security;
+using Moq;
+using NuGetGallery.Authentication;
 
 namespace NuGetGallery.Framework
 {
     public static class Fakes
     {
-        public static readonly User User = new User("testUser");
-        public static readonly User Admin = new User("testAdmin");
-        public static readonly User Owner = new User("testPackageOwner") { EmailAddress = "confirmed@example.com" }; //package owners need confirmed email addresses, obviously.
+        private static readonly MethodInfo SetMethod = typeof(IEntitiesContext).GetMethod("Set");
+
+        public static readonly string Password = "p@ssw0rd!";
+
+        public static readonly User User = new User("testUser") { 
+            Key = 42,
+            EmailAddress = "confirmed1@example.com",
+            Credentials = new List<Credential>() { 
+                CredentialBuilder.CreatePbkdf2Password(Password),
+                CredentialBuilder.CreateV1ApiKey(Guid.Parse("519e180e-335c-491a-ac26-e83c4bd31d65"))
+            }
+        };
+
+        public static readonly User ShaUser = new User("testShaUser")
+        {
+            Key = 42,
+            EmailAddress = "confirmed2@example.com",
+            Credentials = new List<Credential>() { 
+                CredentialBuilder.CreateSha1Password(Password),
+                CredentialBuilder.CreateV1ApiKey(Guid.Parse("b9704a41-4107-4cd2-bcfa-70d84e021ab2"))
+            }
+        };
+        public static readonly User Admin = new User("testAdmin") { 
+            Key = 43,
+            EmailAddress = "confirmed3@example.com",
+            Credentials = new List<Credential>() { CredentialBuilder.CreatePbkdf2Password(Password) }, 
+            Roles = new List<Role>() { new Role() { Name = Constants.AdminRoleName } } 
+        };
+        public static readonly User Owner = new User("testPackageOwner") { 
+            Key = 44,
+            Credentials = new List<Credential>() { CredentialBuilder.CreatePbkdf2Password(Password) },
+            EmailAddress = "confirmed@example.com" //package owners need confirmed email addresses, obviously.
+        };
 
         public static readonly PackageRegistration Package = new PackageRegistration()
         {
@@ -20,17 +57,67 @@ public static class Fakes
             }
         };
 
-        public static IPrincipal ToPrincipal(this User user)
+        public static User CreateUser(string userName, params Credential[] credentials)
+        {
+            return new User(userName)
+            {
+                Credentials = new List<Credential>(credentials)
+            };
+        }
+
+        public static ClaimsPrincipal ToPrincipal(this User user)
         {
-            return new GenericPrincipal(
-                new GenericIdentity(user.Username),
-                user.Roles == null ? new string[0] :
-                user.Roles.Select(r => r.Name).ToArray());
+            ClaimsIdentity identity = new ClaimsIdentity(
+                claims: Enumerable.Concat(new[] {
+                            new Claim(ClaimsIdentity.DefaultNameClaimType, user.Username),
+                        }, user.Roles.Select(r => new Claim(ClaimsIdentity.DefaultRoleClaimType, r.Name))),
+                authenticationType: "Test",
+                nameType: ClaimsIdentity.DefaultNameClaimType,
+                roleType: ClaimsIdentity.DefaultRoleClaimType);
+            return new ClaimsPrincipal(identity);
         }
 
         public static IIdentity ToIdentity(this User user)
         {
              return new GenericIdentity(user.Username);
         }
+
+        internal static void ConfigureEntitiesContext(FakeEntitiesContext ctxt)
+        {
+            // Add Users
+            var users = ctxt.Set<User>();
+            users.Add(User);
+            users.Add(ShaUser);
+            users.Add(Admin);
+            users.Add(Owner);
+
+            // Add Credentials and link to users
+            var creds = ctxt.Set<Credential>();
+            foreach (var user in users)
+            {
+                foreach (var cred in user.Credentials)
+                {
+                    cred.User = user;
+                    creds.Add(cred);
+                }
+            }
+        }
+
+        public static IOwinContext CreateOwinContext()
+        {
+            var ctx = new OwinContext();
+
+            // Fill in some values that cause exceptions if not present
+            ctx.Set<Action<Action<object>, object>>("server.OnSendingHeaders", (_, __) => { });
+
+            return ctx;
+        }
+
+        public static Mock<OwinMiddleware> CreateOwinMiddleware()
+        {
+            var middleware = new Mock<OwinMiddleware>(new object[] { null });
+            middleware.Setup(m => m.Invoke(It.IsAny<OwinContext>())).ReturnsAsync();
+            return middleware;
+        }
     }
 }
diff --git a/tests/NuGetGallery.Facts/Framework/TestContainer.cs b/tests/NuGetGallery.Facts/Framework/TestContainer.cs
index 9ddfc64c16..c6c5fa6935 100644
--- a/tests/NuGetGallery.Facts/Framework/TestContainer.cs
+++ b/tests/NuGetGallery.Facts/Framework/TestContainer.cs
@@ -6,6 +6,7 @@
 using System.Web;
 using System.Web.Mvc;
 using System.Web.Routing;
+using Microsoft.Owin;
 using Moq;
 using Ninject;
 using Ninject.Modules;
@@ -17,14 +18,19 @@ public class TestContainer : TestClass, IDisposable
     {
         public IKernel Kernel { get; private set; }
 
-        protected TestContainer()
+        public TestContainer() : this(UnitTestBindings.CreateContainer(autoMock: true)) { }
+        protected TestContainer(IKernel kernel)
         {
             // Initialize the container
-            Kernel = UnitTestBindings.CreateContainer();
+            Kernel = kernel;
         }
 
         protected TController GetController<TController>() where TController : Controller
         {
+            if (!Kernel.GetBindings(typeof(TController)).Any())
+            {
+                Kernel.Bind<TController>().ToSelf();
+            }
             var c = Kernel.Get<TController>();
             c.ControllerContext = new ControllerContext(
                 new RequestContext(Kernel.Get<HttpContextBase>(), new RouteData()), c);
@@ -32,6 +38,12 @@ protected TController GetController<TController>() where TController : Controlle
             var routeCollection = new RouteCollection();
             Routes.RegisterRoutes(routeCollection);
             c.Url = new UrlHelper(c.ControllerContext.RequestContext, routeCollection);
+
+            var appCtrl = c as AppController;
+            if (appCtrl != null)
+            {
+                appCtrl.OwinContext = Kernel.Get<IOwinContext>();
+            }
             
             return c;
         }
@@ -64,6 +76,10 @@ protected T Get<T>()
 
         protected Mock<T> GetMock<T>() where T : class
         {
+            if (!Kernel.GetBindings(typeof(T)).Any())
+            {
+                Kernel.Bind<T>().ToConstant((new Mock<T>() { CallBase = true }).Object);
+            }
             T instance = Kernel.Get<T>();
             return Mock.Get(instance);
         }
diff --git a/tests/NuGetGallery.Facts/Framework/TestExtensionMethods.cs b/tests/NuGetGallery.Facts/Framework/TestExtensionMethods.cs
index effd7d5ddd..1179b9636a 100644
--- a/tests/NuGetGallery.Facts/Framework/TestExtensionMethods.cs
+++ b/tests/NuGetGallery.Facts/Framework/TestExtensionMethods.cs
@@ -1,24 +1,39 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
-using System.Security.Principal;
+using System.Security.Claims;
 using System.Text;
 using System.Threading.Tasks;
-using System.Web.Mvc;
 using Moq;
+using NuGetGallery.Authentication;
 
-namespace NuGetGallery.Framework
+namespace NuGetGallery
 {
     public static class TestExtensionMethods
     {
-        public static void SetUser(this Controller self, string userName)
+        /// <summary>
+        /// Should only be used in the rare cases where you are testing an action that
+        /// does NOT use AppController.GetCurrentUser()! In those cases, use 
+        /// TestExtensionMethods.SetCurrentUser(AppController, User) instead.
+        /// </summary>
+        /// <param name="name"></param>
+        public static void SetCurrentUser(this AppController self, string name)
         {
-            SetUser(self, new User(userName));
+            var principal = new ClaimsPrincipal(
+                new ClaimsIdentity(
+                    new [] { new Claim(ClaimTypes.Name, String.IsNullOrEmpty(name) ? "theUserName" : name) }));
+
+            var mock = Mock.Get(self.HttpContext);
+            mock.Setup(c => c.Request.IsAuthenticated).Returns(true);
+            mock.Setup(c => c.User).Returns(principal);
+
+            self.OwinContext.Request.User = principal;
         }
 
-        public static void SetUser(this Controller self, User user)
+        public static void SetCurrentUser(this AppController self, User user)
         {
-            Mock.Get(self.HttpContext).Setup(c => c.User).Returns(user.ToPrincipal());
+            SetCurrentUser(self, user.Username);
+            self.OwinContext.Environment[Constants.CurrentUserOwinEnvironmentKey] = user;
         }
     }
 }
diff --git a/tests/NuGetGallery.Facts/Framework/UnitTestBindings.cs b/tests/NuGetGallery.Facts/Framework/UnitTestBindings.cs
index 40ea7b23f9..f18388d132 100644
--- a/tests/NuGetGallery.Facts/Framework/UnitTestBindings.cs
+++ b/tests/NuGetGallery.Facts/Framework/UnitTestBindings.cs
@@ -7,6 +7,7 @@
 using System.Web;
 using System.Web.Mvc;
 using System.Web.Routing;
+using Microsoft.Owin;
 using Moq;
 using Ninject;
 using Ninject.Activation;
@@ -19,9 +20,9 @@ namespace NuGetGallery.Framework
 {
     internal class UnitTestBindings : NinjectModule
     {
-        internal static IKernel CreateContainer()
+        internal static IKernel CreateContainer(bool autoMock)
         {
-            var kernel = new TestKernel(new UnitTestBindings());
+            var kernel = autoMock ? new TestKernel(new UnitTestBindings()) : new StandardKernel(new UnitTestBindings());
             return kernel;
         }
 
@@ -59,6 +60,19 @@ public override void Load()
                     return mockService.Object;
                 })
                 .InSingletonScope();
+
+            Bind<IEntitiesContext>()
+                .ToMethod(_ =>
+                {
+                    var ctxt = new FakeEntitiesContext();
+                    Fakes.ConfigureEntitiesContext(ctxt);
+                    return ctxt;
+                })
+                .InSingletonScope();
+
+            Bind<IOwinContext>()
+                .ToMethod(_ => Fakes.CreateOwinContext())
+                .InSingletonScope();
         }
 
         private class TestKernel : MoqMockingKernel
diff --git a/tests/NuGetGallery.Facts/NuGetGallery.Facts.csproj b/tests/NuGetGallery.Facts/NuGetGallery.Facts.csproj
index d497bd9e13..e24b3eac34 100644
--- a/tests/NuGetGallery.Facts/NuGetGallery.Facts.csproj
+++ b/tests/NuGetGallery.Facts/NuGetGallery.Facts.csproj
@@ -81,6 +81,21 @@
       <SpecificVersion>False</SpecificVersion>
       <HintPath>..\..\packages\Microsoft.Data.Services.Client.5.5.0\lib\net40\Microsoft.Data.Services.Client.dll</HintPath>
     </Reference>
+    <Reference Include="Microsoft.Owin, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <SpecificVersion>False</SpecificVersion>
+      <HintPath>..\..\packages\Microsoft.Owin.2.0.0-rc1\lib\net45\Microsoft.Owin.dll</HintPath>
+    </Reference>
+    <Reference Include="Microsoft.Owin.Host.SystemWeb">
+      <HintPath>..\..\packages\Microsoft.Owin.Host.SystemWeb.2.0.0-rc1\lib\net45\Microsoft.Owin.Host.SystemWeb.dll</HintPath>
+    </Reference>
+    <Reference Include="Microsoft.Owin.Security, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <SpecificVersion>False</SpecificVersion>
+      <HintPath>..\..\packages\Microsoft.Owin.Security.2.0.0-rc1\lib\net45\Microsoft.Owin.Security.dll</HintPath>
+    </Reference>
+    <Reference Include="Microsoft.Owin.Security.Cookies, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <SpecificVersion>False</SpecificVersion>
+      <HintPath>..\..\packages\Microsoft.Owin.Security.Cookies.2.0.0-rc1\lib\net45\Microsoft.Owin.Security.Cookies.dll</HintPath>
+    </Reference>
     <Reference Include="Microsoft.Web.Infrastructure">
       <HintPath>..\..\packages\Microsoft.Web.Infrastructure.1.0.0.0\lib\net40\Microsoft.Web.Infrastructure.dll</HintPath>
       <Private>True</Private>
@@ -121,6 +136,10 @@
       <SpecificVersion>False</SpecificVersion>
       <HintPath>..\..\packages\NuGet.Core.2.7.0\lib\net40-Client\NuGet.Core.dll</HintPath>
     </Reference>
+    <Reference Include="Owin, Version=1.0.0.0, Culture=neutral, PublicKeyToken=f0ebd12fd5e55cc5, processorArchitecture=MSIL">
+      <SpecificVersion>False</SpecificVersion>
+      <HintPath>..\..\packages\Owin.1.0\lib\net40\Owin.dll</HintPath>
+    </Reference>
     <Reference Include="PoliteCaptcha, Version=0.4.0.0, Culture=neutral, processorArchitecture=MSIL">
       <SpecificVersion>False</SpecificVersion>
       <HintPath>..\..\packages\PoliteCaptcha.0.4.0.0\lib\net40\PoliteCaptcha.dll</HintPath>
@@ -195,8 +214,12 @@
       <Link>Properties\CommonAssemblyInfo.cs</Link>
     </Compile>
     <Compile Include="AppConfigIsCorrectlyApplied.cs" />
+    <Compile Include="Authentication\ApiKeyAuthenticationHandlerFacts.cs" />
+    <Compile Include="Authentication\AuthenticationServiceFacts.cs" />
+    <Compile Include="Authentication\ForceSslWhenAuthenticatedMiddlewareFacts.cs" />
     <Compile Include="Commands\AutomaticallyCuratePackageCommandFacts.cs" />
     <Compile Include="App_Start\ConfigurationServiceFacts.cs" />
+    <Compile Include="Controllers\AppControllerFacts.cs" />
     <Compile Include="Controllers\AuthenticationControllerFacts.cs" />
     <Compile Include="Controllers\ApiControllerFacts.cs" />
     <Compile Include="Controllers\CuratedFeedsControllerFacts.cs" />
@@ -214,8 +237,7 @@
     <Compile Include="Entities\EntitiesContextFacts.cs" />
     <Compile Include="Entities\PackageFacts.cs" />
     <Compile Include="ExtensionMethodsFacts.cs" />
-    <Compile Include="Filters\ApiKeyAuthorizeAttributeFacts.cs" />
-    <Compile Include="Filters\RequireRemoteHttpsAttributeFacts.cs" />
+    <Compile Include="Filters\RequireSslAttributeFacts.cs" />
     <Compile Include="Framework\Fakes.cs" />
     <Compile Include="Framework\TestContainer.cs" />
     <Compile Include="Framework\TestExtensionMethods.cs" />
@@ -251,6 +273,8 @@
     <Compile Include="TestUtils\FakeEntitiesContext.cs" />
     <Compile Include="TestUtils\MockExtensions.cs" />
     <Compile Include="TestUtils\ModelStateAssert.cs" />
+    <Compile Include="TestUtils\OwinAssert.cs" />
+    <Compile Include="TestUtils\OwinTestExtensions.cs" />
     <Compile Include="TestUtils\ResultAssert.cs" />
     <Compile Include="TestUtils\TaskAssert.cs" />
     <Compile Include="TestUtils\TestUtility.cs" />
diff --git a/tests/NuGetGallery.Facts/Services/UserServiceFacts.cs b/tests/NuGetGallery.Facts/Services/UserServiceFacts.cs
index 66b2acc34e..4706580274 100644
--- a/tests/NuGetGallery.Facts/Services/UserServiceFacts.cs
+++ b/tests/NuGetGallery.Facts/Services/UserServiceFacts.cs
@@ -88,165 +88,6 @@ private static UserService CreateMockUserService(Action<Mock<UserService>> setup
             return userService.Object;
         }
 
-        public class TheChangePasswordMethod
-        {
-            [Fact]
-            public void ReturnsFalseIfUserIsNotFound()
-            {
-                var service = new TestableUserService();
-                service.MockUserRepository
-                       .Setup(r => r.GetAll()).Returns(Enumerable.Empty<User>().AsQueryable());
-
-                var changed = service.ChangePassword("username", "oldpwd", "newpwd");
-
-                Assert.False(changed);
-            }
-
-            [Fact]
-            public void ReturnsFalseIfPasswordDoesNotMatchUser_SHA1()
-            {
-                var user = new User
-                {
-                    Username = "user",
-                    HashedPassword = CryptographyService.GenerateSaltedHash("oldpwd", "SHA1"),
-                    PasswordHashAlgorithm = "SHA1",
-                };
-                var service = new TestableUserService();
-                service.MockUserRepository
-                       .Setup(r => r.GetAll()).Returns(new[] { user }.AsQueryable());
-
-                var changed = service.ChangePassword("user", "not_the_password", "newpwd");
-
-                Assert.False(changed);
-            }
-
-            [Fact]
-            public void ReturnsFalseIfPasswordDoesNotMatchUser_PBKDF2()
-            {
-                var user = new User
-                {
-                    Username = "user",
-                    HashedPassword = CryptographyService.GenerateSaltedHash("oldpwd", "PBKDF2"),
-                    PasswordHashAlgorithm = "PBKDF2",
-                };
-                var service = new TestableUserService();
-                service.MockUserRepository
-                       .Setup(r => r.GetAll()).Returns(new[] { user}.AsQueryable());
-
-                var changed = service.ChangePassword("user", "not_the_password", "newpwd");
-
-                Assert.False(changed);
-            }
-
-            [Fact]
-            public void ReturnsFalseIfPasswordDoesNotMatchUser_SHA1Credential()
-            {
-                var user = new User
-                {
-                    Username = "user",
-                    HashedPassword = "not_the_password",
-                    PasswordHashAlgorithm = "SHA1",
-                };
-                user.Credentials.Add(CredentialBuilder.CreateSha1Password("oldpwd"));
-                var service = new TestableUserService();
-                service.MockUserRepository
-                       .Setup(r => r.GetAll()).Returns(new[] { user }.AsQueryable());
-
-                var changed = service.ChangePassword("user", "not_the_password", "newpwd");
-
-                Assert.False(changed);
-            }
-
-            [Fact]
-            public void ReturnsFalseIfPasswordDoesNotMatchUser_PBKDF2Credential()
-            {
-                var user = new User
-                {
-                    Username = "user",
-                    HashedPassword = "not_the_password",
-                    PasswordHashAlgorithm = "SHA1",
-                };
-                user.Credentials.Add(CredentialBuilder.CreatePbkdf2Password("oldpwd"));
-                var service = new TestableUserService();
-                service.MockUserRepository
-                       .Setup(r => r.GetAll()).Returns(new[] { user }.AsQueryable());
-
-                var changed = service.ChangePassword("user", "not_the_password", "newpwd");
-
-                Assert.False(changed);
-            }
-
-            [Fact]
-            public void ReturnsTrueWhenSuccessful()
-            {
-                var hash = CryptographyService.GenerateSaltedHash("oldpwd", "PBKDF2");
-                var user = new User { Username = "user", HashedPassword = hash, PasswordHashAlgorithm = "PBKDF2" };
-                var service = new TestableUserService();
-                service.MockUserRepository
-                       .Setup(r => r.GetAll()).Returns(new[] { user }.AsQueryable());
-
-                var changed = service.ChangePassword("user", "oldpwd", "newpwd");
-
-                Assert.True(changed);
-            }
-
-            [Fact]
-            public void UpdatesTheHashedPassword()
-            {
-                var hash = CryptographyService.GenerateSaltedHash("oldpwd", "PBKDF2");
-                var user = new User { Username = "user", HashedPassword = hash, PasswordHashAlgorithm = "PBKDF2" };
-                var service = new TestableUserService();
-                service.MockUserRepository
-                       .Setup(r => r.GetAll()).Returns(new[] { user }.AsQueryable());
-
-                var changed = service.ChangePassword("user", "oldpwd", "newpwd");
-                Assert.True(VerifyPasswordHash(user.HashedPassword, user.PasswordHashAlgorithm, "newpwd"));
-                service.MockUserRepository.VerifyCommitted();
-            }
-
-            [Fact]
-            public void UpdatesThePasswordCredential()
-            {
-                var hash = CryptographyService.GenerateSaltedHash("oldpwd", "PBKDF2");
-                var user = new User { 
-                    Username = "user",
-                    Credentials = new List<Credential>()
-                    {
-                        new Credential(CredentialTypes.Password.Pbkdf2, hash)
-                    }
-                };
-                var service = new TestableUserService();
-                service.MockUserRepository
-                       .Setup(r => r.GetAll()).Returns(new[] { user }.AsQueryable());
-
-                var changed = service.ChangePassword("user", "oldpwd", "newpwd");
-                var cred = user.Credentials.Single();
-                Assert.Equal(CredentialTypes.Password.Pbkdf2, cred.Type);
-                Assert.True(VerifyPasswordHash(cred.Value, Constants.PBKDF2HashAlgorithmId, "newpwd"));
-                service.MockUserRepository.VerifyCommitted();
-            }
-
-            [Fact]
-            public void MigratesPasswordIfHashAlgorithmIsNotPBKDF2()
-            {
-                var user = new User {
-                    Username = "user",
-                    HashedPassword = CryptographyService.GenerateSaltedHash("oldpwd", "SHA1"), 
-                    PasswordHashAlgorithm = "SHA1"
-                };
-                var service = new TestableUserService();
-                service.MockUserRepository
-                       .Setup(r => r.GetAll()).Returns(new[] { user }.AsQueryable());
-
-                var changed = service.ChangePassword("user", "oldpwd", "newpwd");
-
-                Assert.True(changed);
-                Assert.True(VerifyPasswordHash(user.HashedPassword, user.PasswordHashAlgorithm, "newpwd"));
-                Assert.Equal("PBKDF2", user.PasswordHashAlgorithm);
-                service.MockUserRepository.VerifyCommitted();
-            }
-        }
-
         public class TheConfirmEmailAddressMethod
         {
             [Fact]
@@ -332,187 +173,6 @@ public void WithEmptyTokenThrowsArgumentNullException()
             }
         }
 
-        public class TheCreateMethod
-        {
-            [Fact]
-            public void WillThrowIfTheUsernameIsAlreadyInUse()
-            {
-                var userService = CreateMockUserService(
-                    setup: u => u.Setup(x => x.FindByUsername("theUsername"))
-                                 .Returns(new User()));
-
-                var ex = Assert.Throws<EntityException>(
-                    () =>
-                    userService.Create(
-                        "theUsername",
-                        "thePassword",
-                        "theEmailAddress"));
-                Assert.Equal(String.Format(Strings.UsernameNotAvailable, "theUsername"), ex.Message);
-            }
-
-            [Fact]
-            public void WillThrowIfTheEmailAddressIsAlreadyInUse()
-            {
-                var userService = CreateMockUserService(
-                    setup: u => u.Setup(x => x.FindAllByEmailAddress("theEmailAddress"))
-                                 .Returns(new List<User> { new User() }));
-
-                var ex = Assert.Throws<EntityException>(
-                    () =>
-                    userService.Create(
-                        "theUsername",
-                        "thePassword",
-                        "theEmailAddress"));
-                Assert.Equal(String.Format(Strings.EmailAddressBeingUsed, "theEmailAddress"), ex.Message);
-            }
-
-            [Fact]
-            public void WillHashThePassword()
-            {
-                var userService = new TestableUserService();
-
-                var user = userService.Create(
-                    "theUsername",
-                    "thePassword",
-                    "theEmailAddress");
-
-                Assert.Equal("PBKDF2", user.PasswordHashAlgorithm);
-                Assert.True(VerifyPasswordHash(user.HashedPassword, user.PasswordHashAlgorithm, "thePassword"));
-            }
-
-            [Fact]
-            public void WillSaveTheNewUser()
-            {
-                var userService = new TestableUserService();
-
-
-                userService.Create(
-                    "theUsername",
-                    "thePassword",
-                    "theEmailAddress");
-
-                userService.MockUserRepository
-                           .Verify(x => x.InsertOnCommit(
-                                It.Is<User>(
-                                    u =>
-                                    u.Username == "theUsername" &&
-                                    u.UnconfirmedEmailAddress == "theEmailAddress")));
-                userService.MockUserRepository
-                           .Verify(x => x.CommitChanges());
-            }
-
-            [Fact]
-            public void WillSaveThePasswordInTheCredentialsTable()
-            {
-                var userService = new TestableUserService();
-                
-                var user = userService.Create(
-                    "theUsername",
-                    "thePassword",
-                    "theEmailAddress");
-
-                Assert.NotNull(user);
-                var passwordCred = user.Credentials.FirstOrDefault(c => c.Type == CredentialTypes.Password.Pbkdf2);
-                Assert.NotNull(passwordCred);
-                Assert.Equal(CredentialTypes.Password.Pbkdf2, passwordCred.Type);
-                Assert.True(VerifyPasswordHash(passwordCred.Value, Constants.PBKDF2HashAlgorithmId, "thePassword"));
-
-                userService.MockUserRepository
-                    .Verify(x => x.InsertOnCommit(user));
-                userService.MockUserRepository
-                    .Verify(x => x.CommitChanges());
-            }
-
-            [Fact]
-            public void WillSaveTheNewUserAsConfirmedWhenConfigured()
-            {
-                var userService = new TestableUserService();
-
-                userService.MockConfig
-                           .Setup(x => x.ConfirmEmailAddresses)
-                           .Returns(false);
-
-                userService.Create(
-                    "theUsername",
-                    "thePassword",
-                    "theEmailAddress");
-
-                userService.MockUserRepository
-                           .Verify(x => x.InsertOnCommit(
-                               It.Is<User>(
-                                   u =>
-                                   u.Username == "theUsername" &&
-                                   u.Confirmed)));
-                userService.MockUserRepository
-                           .Verify(x => x.CommitChanges());
-            }
-
-            [Fact]
-            public void SetsAnApiKey()
-            {
-                var userService = new TestableUserService();
-
-                var user = userService.Create(
-                    "theUsername",
-                    "thePassword",
-                    "theEmailAddress");
-
-                userService.MockUserRepository
-                    .Verify(x => x.InsertOnCommit(user));
-                Assert.NotEqual(Guid.Empty, user.ApiKey);
-
-                var apiKeyCred = user.Credentials.FirstOrDefault(c => c.Type == CredentialTypes.ApiKeyV1);
-                Assert.NotNull(apiKeyCred);
-                Assert.Equal(user.ApiKey.ToString().ToLowerInvariant(), apiKeyCred.Value);
-            }
-
-            [Fact]
-            public void SetsAConfirmationToken()
-            {
-                var userService = new TestableUserService();
-
-                var user = userService.Create(
-                    "theUsername",
-                    "thePassword",
-                    "theEmailAddress");
-
-                Assert.NotEmpty(user.EmailConfirmationToken);
-                Assert.False(user.Confirmed);
-            }
-
-            [Fact]
-            public void SetsCreatedDate()
-            {
-                var userService = new TestableUserService();
-
-                var user = userService.Create(
-                    "theUsername",
-                    "thePassword",
-                    "theEmailAddress");
-
-                Assert.NotNull(user.CreatedUtc);
-
-                // Allow for up to 5 secs of time to have elapsed between Create call and now. Should be plenty
-                Assert.True((DateTime.UtcNow - user.CreatedUtc) < TimeSpan.FromSeconds(5));
-            }
-
-            [Fact]
-            public void SetsTheUserToConfirmedWhenEmailConfirmationIsNotEnabled()
-            {
-                var userService = new TestableUserService();
-                userService.MockConfig
-                           .Setup(x => x.ConfirmEmailAddresses)
-                           .Returns(false);
-
-                var user = userService.Create(
-                    "theUsername",
-                    "thePassword",
-                    "theEmailAddress");
-
-                Assert.Equal(true, user.Confirmed);
-            }
-        }
-
         public class TheFindByEmailAddressMethod
         {
             [Fact]
@@ -530,670 +190,6 @@ public void ReturnsNullIfMultipleMatchesExist()
             }
         }
 
-        public class TheFindByUsernameAndPasswordMethod
-        {
-            [Fact]
-            public void FindsUsersByUserName()
-            {
-                var user = CreateAUser("theUsername", "thePassword", "test@example.com");
-                var service = new TestableUserService();
-                service.MockUserRepository
-                       .Setup(r => r.GetAll())
-                       .Returns(new[] { user }.AsQueryable());
-
-                var foundByUserName = service.FindByUsernameAndPassword("theUsername", "thePassword");
-
-                Assert.NotNull(foundByUserName);
-                Assert.Same(user, foundByUserName);
-            }
-
-            [Fact]
-            public void WillNotFindsUsersByEmailAddress()
-            {
-                var user = CreateAUser("theUsername", "thePassword", "test@example.com");
-                var service = new TestableUserService();
-                service.MockUserRepository
-                       .Setup(r => r.GetAll())
-                       .Returns(new[] { user }.AsQueryable());
-
-                var foundByEmailAddress = service.FindByUsernameAndPassword("test@example.com", "thePassword");
-
-                Assert.Null(foundByEmailAddress);
-            }
-
-            [Fact]
-            public void DoesNotReturnUserIfPasswordIsInvalid()
-            {
-                var user = CreateAUser("theUsername", "thePassword", "test@example.com");
-                var service = new TestableUserService();
-                service.MockUserRepository
-                       .Setup(r => r.GetAll())
-                       .Returns(new[] { user }.AsQueryable());
-
-                var foundByUserName = service.FindByUsernameAndPassword("theUsername", "theWrongPassword");
-
-                Assert.Null(foundByUserName);
-            }
-
-            [Fact]
-            public void FindsUserBasedOnPasswordInCredentialsTable()
-            {
-                var user = CreateAUser("theUsername", "test@example.com");
-                user.Credentials.Add(CreatePasswordCredential("thePassword"));
-                var service = new TestableUserService();
-                service.MockUserRepository.HasData(user);
-                service.MockCredentialRepository.HasData(user.Credentials);
-                
-                var foundByUserName = service.FindByUsernameAndPassword("theUsername", "thePassword");
-
-                Assert.NotNull(foundByUserName);
-                Assert.Same(user, foundByUserName);
-            }
-
-            [Fact]
-            public void IfSomehowBothPasswordsExistItFindsUserBasedOnPasswordInCredentialsTable()
-            {
-                var user = CreateAUser("theUsername", "theWrongPassword", "test@example.com");
-                user.Credentials.Add(CreatePasswordCredential("thePassword"));
-                var service = new TestableUserService();
-                service.MockUserRepository.HasData(user);
-                service.MockCredentialRepository.HasData(user.Credentials);
-
-                var foundByUserName = service.FindByUsernameAndPassword("theUsername", "thePassword");
-
-                Assert.NotNull(foundByUserName);
-                Assert.Same(user, foundByUserName);
-            }
-
-            [Fact]
-            public void GivenASHA1PasswordColumnAndNoCredentialsItAuthenticatesUser()
-            {
-                var user = CreateAUser("theUsername", "thePassword", "test@example.com", hashAlgorithm: Constants.Sha1HashAlgorithmId);
-                var service = new TestableUserService();
-                service.MockUserRepository.HasData(user);
-
-                var foundByUserName = service.FindByUsernameAndPassword("theUsername", "thePassword");
-
-                Assert.Same(user, foundByUserName);
-                Assert.Empty(user.Credentials);
-            }
-
-            [Fact]
-            public void GivenAPBKDF2PasswordColumnAndNoCredentialsItAuthenticatesUser()
-            {
-                var user = CreateAUser("theUsername", "thePassword", "test@example.com", hashAlgorithm: Constants.PBKDF2HashAlgorithmId);
-                var service = new TestableUserService();
-                service.MockUserRepository.HasData(user);
-
-                var foundByUserName = service.FindByUsernameAndPassword("theUsername", "thePassword");
-
-                Assert.Same(user, foundByUserName);
-                Assert.Empty(user.Credentials);
-            }
-
-            [Fact]
-            public void GivenOnlyASHA1CredentialItAuthenticatesUserAndReplacesItWithAPBKDF2Credential()
-            {
-                var user = CreateAUser("theUsername", password: null, emailAddress: "test@example.com");
-                user.Credentials.Add(CredentialBuilder.CreateSha1Password("thePassword"));
-                var service = new TestableUserService();
-                service.MockUserRepository.HasData(user);
-                service.MockCredentialRepository.HasData(user.Credentials);
-
-                var foundByUserName = service.FindByUsernameAndPassword("theUsername", "thePassword");
-
-                var cred = foundByUserName.Credentials.Single();
-                Assert.Same(user, foundByUserName);
-                Assert.Equal(CredentialTypes.Password.Pbkdf2, cred.Type);
-                Assert.True(CryptographyService.ValidateSaltedHash(cred.Value, "thePassword", Constants.PBKDF2HashAlgorithmId));
-            }
-
-            [Fact]
-            public void GivenASHA1AndAPBKDF2CredentialItAuthenticatesUserWithEitherCredential()
-            {
-                var user = CreateAUser("theUsername", password: null, emailAddress: "test@example.com");
-                user.Credentials.Add(CredentialBuilder.CreateSha1Password("thePassword1"));
-                user.Credentials.Add(CredentialBuilder.CreatePbkdf2Password("thePassword2"));
-                var service = new TestableUserService();
-                service.MockUserRepository.HasData(user);
-                service.MockCredentialRepository.HasData(user.Credentials);
-
-                var foundByPassword1 = service.FindByUsernameAndPassword("theUsername", "thePassword1");
-                var foundByPassword2 = service.FindByUsernameAndPassword("theUsername", "thePassword2");
-                Assert.Same(user, foundByPassword1);
-                Assert.Same(foundByPassword1, foundByPassword2);
-            }
-
-            [Fact]
-            public void GivenASHA1AndAPBKDF2CredentialItAuthenticatesUserAndRemovesTheSHA1Cred()
-            {
-                var user = CreateAUser("theUsername", password: null, emailAddress: "test@example.com");
-                user.Credentials.Add(CredentialBuilder.CreateSha1Password("thePassword"));
-                user.Credentials.Add(CredentialBuilder.CreatePbkdf2Password("thePassword"));
-                var service = new TestableUserService();
-                service.MockUserRepository.HasData(user);
-                service.MockCredentialRepository.HasData(user.Credentials);
-
-                var foundByUserName = service.FindByUsernameAndPassword("theUsername", "thePassword");
-
-                var cred = foundByUserName.Credentials.Single();
-                Assert.Same(user, foundByUserName);
-                Assert.Equal(CredentialTypes.Password.Pbkdf2, cred.Type);
-                Assert.True(CryptographyService.ValidateSaltedHash(cred.Value, "thePassword", Constants.PBKDF2HashAlgorithmId));
-            }
-        }
-
-        public class TheFindByUsernameOrEmailAddressAndPasswordMethod
-        {
-            [Fact]
-            public void FindsUsersByUserName()
-            {
-                var user = new User
-                {
-                    Username = "theUsername",
-                    HashedPassword = CryptographyService.GenerateSaltedHash("thePassword", Constants.PBKDF2HashAlgorithmId),
-                    EmailAddress = "test@example.com",
-                    PasswordHashAlgorithm = Constants.PBKDF2HashAlgorithmId,
-                };
-
-                var service = new TestableUserService();
-                service.MockUserRepository
-                       .Setup(r => r.GetAll())
-                       .Returns(new[] { user }.AsQueryable());
-
-                var foundByUserName = service.FindByUsernameOrEmailAddressAndPassword("theUsername", "thePassword");
-                Assert.NotNull(foundByUserName);
-                Assert.Same(user, foundByUserName);
-            }
-
-            [Fact]
-            public void FindsUsersByEmailAddress()
-            {
-                var user = new User
-                {
-                    Username = "theUsername",
-                    HashedPassword = CryptographyService.GenerateSaltedHash("thePassword", Constants.PBKDF2HashAlgorithmId),
-                    EmailAddress = "test@example.com",
-                    PasswordHashAlgorithm = "PBKDF2"
-                };
-
-                var service = new TestableUserService();
-                service.MockUserRepository
-                       .Setup(r => r.GetAll())
-                       .Returns(new[] { user }.AsQueryable());
-
-                var foundByEmailAddress = service.FindByUsernameOrEmailAddressAndPassword("test@example.com", "thePassword");
-                Assert.NotNull(foundByEmailAddress);
-                Assert.Same(user, foundByEmailAddress);
-            }
-
-            [Fact]
-            public void FindsUserBasedOnPasswordInCredentialsTable()
-            {
-                var user = CreateAUser("theUsername", "test@example.com");
-                user.Credentials.Add(CreatePasswordCredential("thePassword"));
-                var service = new TestableUserService();
-                service.MockUserRepository.HasData(user);
-                service.MockCredentialRepository.HasData(user.Credentials);
-
-                var foundByUserName = service.FindByUsernameOrEmailAddressAndPassword("test@example.com", "thePassword");
-
-                Assert.NotNull(foundByUserName);
-                Assert.Same(user, foundByUserName);
-            }
-
-            [Fact]
-            public void IfSomehowBothPasswordsExistItFindsUserBasedOnPasswordInCredentialsTable()
-            {
-                var user = CreateAUser("theUsername", "theWrongPassword", "test@example.com");
-                user.Credentials.Add(CreatePasswordCredential("thePassword"));
-                var service = new TestableUserService();
-                service.MockUserRepository.HasData(user);
-                service.MockCredentialRepository.HasData(user.Credentials);
-
-                var foundByUserName = service.FindByUsernameOrEmailAddressAndPassword("test@example.com", "thePassword");
-
-                Assert.NotNull(foundByUserName);
-                Assert.Same(user, foundByUserName);
-            }
-
-            [Fact]
-            public void GivenASHA1PasswordColumnAndNoCredentialsItAuthenticatesUser()
-            {
-                var user = CreateAUser("test@example.com", "thePassword", "test@example.com", hashAlgorithm: Constants.Sha1HashAlgorithmId);
-                var service = new TestableUserService();
-                service.MockUserRepository.HasData(user);
-
-                var foundByUserName = service.FindByUsernameOrEmailAddressAndPassword("test@example.com", "thePassword");
-
-                Assert.Same(user, foundByUserName);
-                Assert.Empty(user.Credentials);
-            }
-
-            [Fact]
-            public void GivenAPBKDF2PasswordColumnAndNoCredentialsItAuthenticatesUser()
-            {
-                var user = CreateAUser("test@example.com", "thePassword", "test@example.com", hashAlgorithm: Constants.PBKDF2HashAlgorithmId);
-                var service = new TestableUserService();
-                service.MockUserRepository.HasData(user);
-
-                var foundByUserName = service.FindByUsernameOrEmailAddressAndPassword("test@example.com", "thePassword");
-
-                Assert.Same(user, foundByUserName);
-                Assert.Empty(user.Credentials);
-            }
-
-            [Fact]
-            public void GivenOnlyASHA1CredentialItAuthenticatesUserAndReplacesItWithAPBKDF2Credential()
-            {
-                var user = CreateAUser("test@example.com", password: null, emailAddress: "test@example.com");
-                user.Credentials.Add(CredentialBuilder.CreateSha1Password("thePassword"));
-                var service = new TestableUserService();
-                service.MockUserRepository.HasData(user);
-                service.MockCredentialRepository.HasData(user.Credentials);
-
-                var foundByUserName = service.FindByUsernameOrEmailAddressAndPassword("test@example.com", "thePassword");
-
-                var cred = foundByUserName.Credentials.Single();
-                Assert.Same(user, foundByUserName);
-                Assert.Equal(CredentialTypes.Password.Pbkdf2, cred.Type);
-                Assert.True(CryptographyService.ValidateSaltedHash(cred.Value, "thePassword", Constants.PBKDF2HashAlgorithmId));
-            }
-
-            [Fact]
-            public void GivenASHA1AndAPBKDF2CredentialItAuthenticatesUserWithEitherCredential()
-            {
-                var user = CreateAUser("test@example.com", password: null, emailAddress: "test@example.com");
-                user.Credentials.Add(CredentialBuilder.CreateSha1Password("thePassword1"));
-                user.Credentials.Add(CredentialBuilder.CreatePbkdf2Password("thePassword2"));
-                var service = new TestableUserService();
-                service.MockUserRepository.HasData(user);
-                service.MockCredentialRepository.HasData(user.Credentials);
-
-                var foundByPassword1 = service.FindByUsernameOrEmailAddressAndPassword("test@example.com", "thePassword1");
-                var foundByPassword2 = service.FindByUsernameOrEmailAddressAndPassword("test@example.com", "thePassword2");
-                Assert.Same(user, foundByPassword1);
-                Assert.Same(foundByPassword1, foundByPassword2);
-            }
-
-            [Fact]
-            public void GivenASHA1AndAPBKDF2CredentialItAuthenticatesUserAndRemovesTheSHA1Cred()
-            {
-                var user = CreateAUser("theUsername", password: null, emailAddress: "test@example.com");
-                user.Credentials.Add(CredentialBuilder.CreateSha1Password("thePassword"));
-                user.Credentials.Add(CredentialBuilder.CreatePbkdf2Password("thePassword"));
-                var service = new TestableUserService();
-                service.MockUserRepository.HasData(user);
-                service.MockCredentialRepository.HasData(user.Credentials);
-
-                var foundByUserName = service.FindByUsernameOrEmailAddressAndPassword("test@example.com", "thePassword");
-
-                var cred = foundByUserName.Credentials.Single();
-                Assert.Same(user, foundByUserName);
-                Assert.Equal(CredentialTypes.Password.Pbkdf2, cred.Type);
-                Assert.True(CryptographyService.ValidateSaltedHash(cred.Value, "thePassword", Constants.PBKDF2HashAlgorithmId));
-            }
-        }
-
-        public class TheAuthenticateCredentialMethod
-        {
-            [Fact]
-            public void ReturnsNullIfNoCredentialOfSpecifiedTypeExists()
-            {
-                // Arrange
-                var creds = new List<Credential>() {
-                    new Credential("foo", "bar")
-                };
-                var service = new TestableUserService();
-                service.MockCredentialRepository.HasData(creds);
-
-                // Act
-                var result = service.AuthenticateCredential(type: "baz", value: "bar");
-
-                // Assert
-                Assert.Null(result);
-            }
-
-            [Fact]
-            public void ReturnsNullIfNoCredentialOfSpecifiedTypeWithSpecifiedValueExists()
-            {
-                // Arrange
-                var creds = new List<Credential>() {
-                    new Credential("foo", "bar")
-                };
-                var service = new TestableUserService();
-                service.MockCredentialRepository.HasData(creds);
-
-                // Act
-                var result = service.AuthenticateCredential(type: "foo", value: "baz");
-
-                // Assert
-                Assert.Null(result);
-            }
-
-            [Fact]
-            public void ReturnsCredentialIfOneExistsWithSpecifiedTypeAndValue()
-            {
-                // Arrange
-                var creds = new List<Credential>() {
-                    new Credential("foo", "bar")
-                };
-                var service = new TestableUserService();
-                service.MockCredentialRepository.HasData(creds);
-
-                // Act
-                var result = service.AuthenticateCredential(type: "foo", value: "bar");
-
-                // Assert
-                Assert.Same(creds[0], result);
-            }
-        }
-
-        public class TheReplaceCredentialMethod
-        {
-            [Fact]
-            public void ThrowsExceptionIfNoUserWithProvidedUserName()
-            {
-                // Arrange
-                var users = new List<User>() {
-                    new User("foo")
-                };
-                var service = new TestableUserService();
-                service.MockUserRepository.HasData(users);
-
-                // Act
-                var ex = Assert.Throws<InvalidOperationException>(() =>
-                    service.ReplaceCredential("biz", new Credential()));
-
-                // Assert
-                Assert.Equal(Strings.UserNotFound, ex.Message);
-            }
-
-            [Fact]
-            public void AddsNewCredentialIfNoneWithSameTypeForUser()
-            {
-                // Arrange
-                var existingCred = new Credential("foo", "bar");
-                var newCred = new Credential("baz", "boz");
-                var users = new List<User>() {
-                    new User("foo") { 
-                        Credentials = new List<Credential>() {
-                            existingCred
-                        }
-                    }
-                };
-                var service = new TestableUserService();
-                service.MockUserRepository.HasData(users);
-
-                // Act
-                service.ReplaceCredential("foo", newCred);
-
-                // Assert
-                Assert.Equal(2, users[0].Credentials.Count);
-                Assert.Equal(new[] { existingCred, newCred }, users[0].Credentials.ToArray());
-                service.MockUserRepository.VerifyCommitted();
-            }
-
-            [Fact]
-            public void ReplacesExistingCredentialIfOneWithSameTypeExistsForUser()
-            {
-                // Arrange
-                var frozenCred = new Credential("foo", "bar");
-                var existingCred = new Credential("baz", "bar");
-                var newCred = new Credential("baz", "boz");
-                var users = new List<User>() {
-                    new User("foo") { 
-                        Credentials = new List<Credential>() {
-                            existingCred,
-                            frozenCred
-                        }
-                    }
-                };
-                var service = new TestableUserService();
-                service.MockUserRepository.HasData(users);
-
-                // Act
-                service.ReplaceCredential("foo", newCred);
-
-                // Assert
-                Assert.Equal(2, users[0].Credentials.Count);
-                Assert.Equal(new[] { frozenCred, newCred }, users[0].Credentials.ToArray());
-                service.MockCredentialRepository
-                    .Verify(x => x.DeleteOnCommit(existingCred));
-                service.MockUserRepository.VerifyCommitted();
-            }
-        }
-
-        public class TheGenerateApiKeyMethod
-        {
-            [Fact]
-            public void SetsApiKeyToNewGuid()
-            {
-                var user = new User { ApiKey = Guid.Empty };
-                var userRepo = new Mock<IEntityRepository<User>>();
-                var userService = CreateMockUserService(
-                    setup: u => u.Setup(x => x.FindByUsername("theUsername"))
-                                 .Returns(user),
-                    userRepo: userRepo);
-
-                var apiKey = userService.GenerateApiKey("theUsername");
-
-                Assert.NotEqual(Guid.Empty, user.ApiKey);
-                Assert.Equal(apiKey, user.ApiKey.ToString());
-                userRepo.Verify(r => r.CommitChanges());
-            }
-        }
-
-        public class TheGeneratePasswordResetTokenMethod
-        {
-            [Fact]
-            public void ReturnsNullIfEmailIsNotFound()
-            {
-                var userService = CreateMockUserService(
-                    setup: u => u.Setup(x => x.FindByEmailAddress("email@example.com"))
-                                 .Returns((User)null));
-
-                var token = userService.GeneratePasswordResetToken("email@example.com", 1440);
-                Assert.Null(token);
-            }
-
-            [Fact]
-            public void ThrowsExceptionIfUserIsNotConfirmed()
-            {
-                var user = new User { Username = "user" };
-                var userService = CreateMockUserService(
-                    setup: u => u.Setup(x => x.FindByEmailAddress("user@example.com"))
-                                 .Returns(user));
-
-                Assert.Throws<InvalidOperationException>(() => userService.GeneratePasswordResetToken("user@example.com", 1440));
-            }
-
-            [Fact]
-            public void SetsPasswordResetTokenUsingEmail()
-            {
-                var user = new User
-                {
-                    Username = "user", 
-                    EmailAddress = "confirmed@example.com", 
-                    PasswordResetToken = null
-                };
-                var userService = CreateMockUserService(
-                    setup: u => u.Setup(x => x.FindByEmailAddress("email@example.com"))
-                                 .Returns(user));
-                var currentDate = DateTime.UtcNow;
-
-                var returnedUser = userService.GeneratePasswordResetToken("email@example.com", 1440);
-
-                Assert.Same(user, returnedUser);
-                Assert.NotNull(user.PasswordResetToken);
-                Assert.NotEmpty(user.PasswordResetToken);
-                Assert.True(user.PasswordResetTokenExpirationDate >= currentDate.AddMinutes(1440));
-            }
-
-            [Fact]
-            public void WithExistingNotYetExpiredTokenReturnsExistingToken()
-            {
-                var user = new User
-                {
-                    Username = "user",
-                    EmailAddress = "confirmed@example.com",
-                    PasswordResetToken = "existing-token",
-                    PasswordResetTokenExpirationDate = DateTime.UtcNow.AddDays(1)
-                };
-                var userService = CreateMockUserService(
-                    setup: u => u.Setup(x => x.FindByEmailAddress("user@example.com"))
-                                 .Returns(user));
-
-                var returnedUser = userService.GeneratePasswordResetToken("user@example.com", 1440);
-
-                Assert.Same(user, returnedUser);
-                Assert.Equal("existing-token", user.PasswordResetToken);
-            }
-
-            [Fact]
-            public void WithExistingExpiredTokenReturnsNewToken()
-            {
-                var user = new User
-                {
-                    Username = "user",
-                    EmailAddress = "confirmed@example.com",
-                    PasswordResetToken = "existing-token",
-                    PasswordResetTokenExpirationDate = DateTime.UtcNow.AddMilliseconds(-1)
-                };
-                var userService = CreateMockUserService(
-                    setup: mockUserService =>
-                    {
-                        mockUserService
-                            .Setup(x => x.FindByEmailAddress("user@example.com"))
-                            .Returns(user);
-                    });
-                var currentDate = DateTime.UtcNow;
-
-                var returnedUser = userService.GeneratePasswordResetToken("user@example.com", 1440);
-
-                Assert.Same(user, returnedUser);
-                Assert.NotEmpty(user.PasswordResetToken);
-                Assert.NotEqual("existing-token", user.PasswordResetToken);
-                Assert.True(user.PasswordResetTokenExpirationDate >= currentDate.AddMinutes(1440));
-            }
-        }
-
-        public class TheResetPasswordWithTokenMethod
-        {
-            [Fact]
-            public void ReturnsFalseIfUserNotFound()
-            {
-                var userService = new TestableUserService();
-                userService.MockUserRepository
-                           .Setup(r => r.GetAll())
-                           .Returns(Enumerable.Empty<User>().AsQueryable());
-
-                bool result = userService.ResetPasswordWithToken("user", "some-token", "new-password");
-
-                Assert.False(result);
-            }
-
-            [Fact]
-            public void ThrowsExceptionIfUserNotConfirmed()
-            {
-                var user = new User
-                {
-                    Username = "user",
-                    PasswordResetToken = "some-token",
-                    PasswordResetTokenExpirationDate = DateTime.UtcNow.AddDays(1)
-                };
-                var userService = new TestableUserService();
-                userService.MockUserRepository
-                           .Setup(r => r.GetAll())
-                           .Returns(new[] { user }.AsQueryable());
-
-                Assert.Throws<InvalidOperationException>(() => userService.ResetPasswordWithToken("user", "some-token", "new-password"));
-            }
-
-            [Fact]
-            public void ResetsPasswordAndPasswordTokenAndPasswordTokenDate()
-            {
-                var user = new User
-                {
-                    Username = "user",
-                    EmailAddress = "confirmed@example.com",
-                    PasswordResetToken = "some-token",
-                    PasswordResetTokenExpirationDate = DateTime.UtcNow.AddDays(1),
-                    HashedPassword = CryptographyService.GenerateSaltedHash("thePassword", Constants.PBKDF2HashAlgorithmId),
-                    PasswordHashAlgorithm = Constants.PBKDF2HashAlgorithmId,
-                };
-
-                var userService = new TestableUserService();
-                userService.MockUserRepository
-                           .Setup(r => r.GetAll())
-                           .Returns(new[] { user }.AsQueryable());
-
-                bool result = userService.ResetPasswordWithToken("user", "some-token", "new-password");
-
-                Assert.True(result);
-                Assert.True(VerifyPasswordHash(user.HashedPassword, user.PasswordHashAlgorithm, "new-password"));
-                Assert.Null(user.PasswordResetToken);
-                Assert.Null(user.PasswordResetTokenExpirationDate);
-                userService.MockUserRepository.VerifyCommitted();
-            }
-
-            [Fact]
-            public void ResetsPasswordCredential()
-            {
-                var oldCred = CredentialBuilder.CreatePbkdf2Password("thePassword");
-                var user = new User
-                {
-                    Username = "user",
-                    EmailAddress = "confirmed@example.com",
-                    PasswordResetToken = "some-token",
-                    PasswordResetTokenExpirationDate = DateTime.UtcNow.AddDays(1),
-                    HashedPassword = oldCred.Value,
-                    PasswordHashAlgorithm = Constants.PBKDF2HashAlgorithmId,
-                    Credentials = new List<Credential>() { oldCred }
-                };
-
-                var userService = new TestableUserService();
-                userService.MockUserRepository
-                           .Setup(r => r.GetAll())
-                           .Returns(new[] { user }.AsQueryable());
-
-                bool result = userService.ResetPasswordWithToken("user", "some-token", "new-password");
-
-                Assert.True(result);
-                var newCred = user.Credentials.Single();
-                Assert.Equal(CredentialTypes.Password.Pbkdf2, newCred.Type);
-                Assert.True(VerifyPasswordHash(newCred.Value, Constants.PBKDF2HashAlgorithmId, "new-password"));
-                userService.MockUserRepository.VerifyCommitted();
-            }
-
-            [Fact]
-            public void ResetsPasswordMigratesPasswordHash()
-            {
-                var user = new User
-                {
-                    Username = "user",
-                    EmailAddress = "confirmed@example.com",
-                    HashedPassword = CryptographyService.GenerateSaltedHash("thePassword", "SHA1"),
-                    PasswordHashAlgorithm = "SHA1",
-                    PasswordResetToken = "some-token",
-                    PasswordResetTokenExpirationDate = DateTime.UtcNow.AddDays(1),
-                };
-                var userService = new TestableUserService();
-                userService.MockUserRepository
-                           .Setup(r => r.GetAll())
-                           .Returns(new[] { user }.AsQueryable());
-
-                bool result = userService.ResetPasswordWithToken("user", "some-token", "new-password");
-
-                Assert.True(result);
-                Assert.Equal("PBKDF2", user.PasswordHashAlgorithm);
-                Assert.True(VerifyPasswordHash(user.HashedPassword, user.PasswordHashAlgorithm, "new-password"));
-                Assert.Null(user.PasswordResetToken);
-                Assert.Null(user.PasswordResetTokenExpirationDate);
-                userService.MockUserRepository.VerifyCommitted();
-            }
-        }
-
         public class TheChangeEmailMethod
         {
             User CreateUser(string username, string password, string emailAddress)
diff --git a/tests/NuGetGallery.Facts/TestUtils/FakeEntitiesContext.cs b/tests/NuGetGallery.Facts/TestUtils/FakeEntitiesContext.cs
index 0fba1096ab..5bd890a89c 100644
--- a/tests/NuGetGallery.Facts/TestUtils/FakeEntitiesContext.cs
+++ b/tests/NuGetGallery.Facts/TestUtils/FakeEntitiesContext.cs
@@ -59,6 +59,18 @@ public IDbSet<Package> Packages
             }
         }
 
+        public IDbSet<Credential> Credentials
+        {
+            get
+            {
+                return Set<Credential>();
+            }
+            set
+            {
+                throw new NotSupportedException();
+            }
+        }
+
         public IDbSet<User> Users
         {
             get
diff --git a/tests/NuGetGallery.Facts/TestUtils/MockExtensions.cs b/tests/NuGetGallery.Facts/TestUtils/MockExtensions.cs
index 06e7b6c09b..1a2898b48a 100644
--- a/tests/NuGetGallery.Facts/TestUtils/MockExtensions.cs
+++ b/tests/NuGetGallery.Facts/TestUtils/MockExtensions.cs
@@ -3,6 +3,9 @@
 using System.Collections.Generic;
 using System.Linq;
 using Moq;
+using NuGetGallery.Authentication;
+using System;
+using Xunit;
 
 namespace NuGetGallery
 {
@@ -46,6 +49,12 @@ public static IReturnsResult<IEntityRepository<T>> HasData<T>(this Mock<IEntityR
             return self.Setup(e => e.GetAll()).Returns(fakeData.AsQueryable());
         }
 
+        public static void VerifyCommitChanges(this IEntitiesContext self)
+        {
+            FakeEntitiesContext context = Assert.IsAssignableFrom<FakeEntitiesContext>(self);
+            context.VerifyCommitChanges();
+        }
+
         public static void VerifyCommitted<T>(this Mock<IEntityRepository<T>> self)
             where T : class, IEntity, new()
         {
@@ -56,5 +65,13 @@ public static void VerifyCommitted(this Mock<IEntitiesContext> self)
         {
             self.Verify(e => e.SaveChanges());
         }
+
+        public static IReturnsResult<AuthenticationService> SetupAuth(this Mock<AuthenticationService> self, Credential cred, User user)
+        {
+            return self.Setup(us => us.Authenticate(It.Is<Credential>(c =>
+                String.Equals(c.Type, cred.Type, StringComparison.OrdinalIgnoreCase) &&
+                String.Equals(c.Value, cred.Value, StringComparison.Ordinal))))
+                .Returns(user == null ? null : new AuthenticatedUser(user, cred));
+        }
     }
 }
diff --git a/tests/NuGetGallery.Facts/TestUtils/OwinAssert.cs b/tests/NuGetGallery.Facts/TestUtils/OwinAssert.cs
new file mode 100644
index 0000000000..7af6125df3
--- /dev/null
+++ b/tests/NuGetGallery.Facts/TestUtils/OwinAssert.cs
@@ -0,0 +1,88 @@
+using System;
+using System.Collections.Generic;
+using System.Globalization;
+using System.Linq;
+using System.Text;
+using System.Text.RegularExpressions;
+using System.Threading.Tasks;
+using Microsoft.Owin;
+using Xunit;
+
+namespace NuGetGallery
+{
+    public static class OwinAssert
+    {
+        private static readonly DateTimeOffset CookieEpoch = new DateTimeOffset(1970, 1, 1, 0, 0, 0, 0, TimeSpan.Zero);
+
+        private static Regex _cookieRegex = new Regex(@"^\s*(?<name>[^=]*)=(?<val>[^;]*)(;(?<fields>.*))?\s*$");
+        private static Regex _fieldRegex = new Regex(@"^\s*(?<name>[^=]*)=(?<val>.*)\s*$");
+        
+        public static void WillRedirect(IOwinContext context, string expectedLocation)
+        {
+            Assert.Equal(302, context.Response.StatusCode);
+            Assert.Equal(expectedLocation, context.Response.Headers["Location"]);
+        }
+
+        public static void SetsCookie(IOwinResponse response, string name, string expectedValue)
+        {
+            // Get the cookie
+            var cookie = GetCookie(response, name);
+
+            // Check the value
+            Assert.NotNull(cookie);
+            Assert.Equal(expectedValue, cookie.Value);
+        }
+
+        public static void DeletesCookie(IOwinResponse response, string name)
+        {
+            // Get the cookie
+            var cookie = GetCookie(response, name);
+
+            // Check the value and expiry
+            Assert.NotNull(cookie);
+            Assert.True(String.IsNullOrEmpty(cookie.Value));
+            Assert.True(cookie.Fields.ContainsKey("expires"));
+            Assert.Equal(CookieEpoch, DateTimeOffset.Parse(cookie.Fields["expires"]));
+        }
+
+        private static Cookie GetCookie(IOwinResponse response, string name)
+        {
+            return GetCookies(response).FirstOrDefault(c => c.Name == name);
+        }
+
+        private static IEnumerable<Cookie> GetCookies(IOwinResponse response)
+        {
+            foreach (var cookieHeader in response.Headers.GetValues("Set-Cookie"))
+            {
+                var match = _cookieRegex.Match(cookieHeader);
+                if (match.Success)
+                {
+                    var fieldStrings = match.Groups["fields"].Value.Split(';');
+                    yield return new Cookie(
+                        match.Groups["name"].Value,
+                        match.Groups["val"].Value,
+                        fieldStrings
+                            .Select(s => _fieldRegex.Match(s))
+                            .Where(m => m.Success)
+                            .ToDictionary(
+                                m => m.Groups["name"].Value, 
+                                m => m.Groups["val"].Value));
+                }
+            }
+        }
+
+        private class Cookie
+        {
+            public string Name { get; private set; }
+            public string Value { get; private set; }
+            public IDictionary<string, string> Fields { get; private set; }
+
+            public Cookie(string name, string value, IDictionary<string, string> fields)
+            {
+                Name = name;
+                Value = value;
+                Fields = fields;
+            }
+        }
+    }
+}
diff --git a/tests/NuGetGallery.Facts/TestUtils/OwinTestExtensions.cs b/tests/NuGetGallery.Facts/TestUtils/OwinTestExtensions.cs
new file mode 100644
index 0000000000..c327f6d912
--- /dev/null
+++ b/tests/NuGetGallery.Facts/TestUtils/OwinTestExtensions.cs
@@ -0,0 +1,37 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+using Microsoft.Owin;
+using Xunit;
+
+namespace NuGetGallery
+{
+    public static class OwinTestExtensions
+    {
+        public static IOwinRequest SetUrl(this IOwinRequest self, string url)
+        {
+            Uri uri = new Uri(url);
+            self.Scheme = uri.Scheme;
+            self.Host = uri.Host;
+            self.PathBase = "";
+            self.QueryString = uri.Query.TrimStart('?');
+            self.Path = uri.AbsolutePath;
+            return self;
+        }
+
+        public static IOwinRequest SetCookie(this IOwinRequest self, string name, string value)
+        {
+            // Force the cookies collection to be initialized.
+            var _ = self.Cookies;
+
+            // Grab the internal dictionary
+            var dict = self.Get<IDictionary<string, string>>("Microsoft.Owin.Cookies#dictionary");
+
+            // Set the cookie
+            dict[name] = value;
+            return self;
+        }
+    }
+}
diff --git a/tests/NuGetGallery.Facts/TestUtils/TestUtility.cs b/tests/NuGetGallery.Facts/TestUtils/TestUtility.cs
index 1f7d91e6ed..cbdfd87b30 100644
--- a/tests/NuGetGallery.Facts/TestUtils/TestUtility.cs
+++ b/tests/NuGetGallery.Facts/TestUtils/TestUtility.cs
@@ -1,4 +1,5 @@
 using System;
+using System.Collections.Generic;
 using System.Collections.Specialized;
 using System.IO;
 using System.Reflection;
@@ -17,10 +18,8 @@ public static class TestUtility
         public static readonly string FakeUserName = "theUsername";
         public static readonly string FakeAdminName = "theAdmin";
 
-        public static readonly IPrincipal FakePrincipal = new GenericPrincipal(new GenericIdentity(FakeUserName), new string[0]);
-        public static readonly IPrincipal FakeAdminPrincipal = new GenericPrincipal(new GenericIdentity(FakeAdminName), new [] { Constants.AdminRoleName });
-        public static readonly User FakeUser = new User() { Username = FakeUserName };
-        public static readonly User FakeAdminUser = new User() { Username = FakeAdminName };
+        public static readonly User FakeUser = new User() { Username = FakeUserName, Key = 42 };
+        public static readonly User FakeAdminUser = new User() { Username = FakeAdminName, Roles = new List<Role>() { new Role() { Name = Constants.AdminRoleName } } };
 
         // We only need this method because testing URL generation is a pain.
         // Alternatively, we could write our own service for generating URLs.
diff --git a/tests/NuGetGallery.Facts/packages.config b/tests/NuGetGallery.Facts/packages.config
index 435c38def6..c8fc35eff3 100644
--- a/tests/NuGetGallery.Facts/packages.config
+++ b/tests/NuGetGallery.Facts/packages.config
@@ -13,6 +13,10 @@
   <package id="Microsoft.Data.OData" version="5.5.0" targetFramework="net45" />
   <package id="Microsoft.Data.Services" version="5.5.0" targetFramework="net45" />
   <package id="Microsoft.Data.Services.Client" version="5.5.0" targetFramework="net45" />
+  <package id="Microsoft.Owin" version="2.0.0-rc1" targetFramework="net45" />
+  <package id="Microsoft.Owin.Host.SystemWeb" version="2.0.0-rc1" targetFramework="net45" />
+  <package id="Microsoft.Owin.Security" version="2.0.0-rc1" targetFramework="net45" />
+  <package id="Microsoft.Owin.Security.Cookies" version="2.0.0-rc1" targetFramework="net45" />
   <package id="Microsoft.Web.Infrastructure" version="1.0.0.0" targetFramework="net45" />
   <package id="Microsoft.Web.Xdt" version="1.0.0" targetFramework="net45" />
   <package id="Microsoft.WindowsAzure.ConfigurationManager" version="2.0.1.0" targetFramework="net45" />
@@ -25,6 +29,7 @@
   <package id="Ninject.MVC3" version="3.0.0.6" targetFramework="net45" />
   <package id="Ninject.Web.Common" version="3.0.0.7" targetFramework="net45" />
   <package id="NuGet.Core" version="2.7.0" targetFramework="net45" />
+  <package id="Owin" version="1.0" targetFramework="net45" />
   <package id="PoliteCaptcha" version="0.4.0.0" targetFramework="net45" />
   <package id="recaptcha" version="1.0.5.0" targetFramework="net45" />
   <package id="SharpZipLib" version="0.86.0" targetFramework="net45" />