I've defined a HttpParameterBinding derived class which is registered correctly during the web app startup.
The parameter binding is binds the UserTypePrincipal from Thread.CurrentPrincipal to a method parameter.
When I invoke the API then I get a serialization error, because that type is not serializable.
Upon this error message I started to investigate what can be the problem, and I narrowed it down to HttpActionDescriptor class's ActionBinding property.
It turns out that the _actionBinding private variable is getting a value from somewhere (and I did not find a simple place where its set from), so the getter for this property fails the null check at the beginning and returning a default instance of a wrapped
public virtual HttpActionBinding ActionBinding
if (_actionBinding == null) // This is never null
ServicesContainer controllerServices = _controllerDescriptor.Configuration.Services;
IActionValueBinder actionValueBinder = controllerServices.GetActionValueBinder();
HttpActionBinding actionBinding = actionValueBinder.GetBinding(this);
_actionBinding = actionBinding;
If I manually bypassing the null check, then the ParameterBinding is picked up and everything works fine.
Its even repros on the latest sources.