So I'm not buying that it's using the wrong abstractions incapable of supporting different auth models used on the web.
At the same time a single implementation can't support all things for all people, it's been designed so it does its best to support multiple caching / auth repository back-ends and Web Auth strategies whilst retaining a simple & declarative configuration.
In order to provide a flexible and testable solution that can be cleanly re-used in any host, we've stayed clear of trying to support *any* of the existing
ASP.NET providers. It's attached to the user session since that's where all user state should be held so service impls can retrieve all user state with a single cache hit. I don't agree Authentication should be treated differently and maintained in a different area. Most other platforms implements authentication in user-space which is where I think it should be.
Although as it's opinionated, its intend to be completely optional, that's why it's baked into the higher user-level ServiceStack.ServiceInterfacs.dll rather than the core ServiceStack.dll. Either way it's easy to inject your own Authentication strategies using the same techniques that it uses (e.g. Request Filters).
But if you think you can enhance the existing Auth Providers without introducing complexity or forcing more burden on end-users (e.g. configuration), then sure we welcome pull-requests sharing the same goal.