I prefer the auth handler to worry about all auth, and register to call into it as needed, than to smatter auth logic between the two.
Daniel Wagner-Hall