You can download the complete source from here. The Web API security sample is in samples/web api security.
On my machine I have mapped the samples/web api security/webhost directory to IIS. I am sure you can use IIS Express as well, but ultimately I find it easier to use IIS (especially combined with SSL). Once you have that mapping in place, set the start URL in Visual Studio and you should be able to simply F5 the MVC project in Visual Studio.
In the login screen, you can use whatever username you like, just use a password that equals the username.
As you can see on the screenshot, I use SSL. This is not a strict requirement, but I only tested the SSL case.
To use the various clients, you also need to adjust some values in the Constants.cs in the PortableCommon project:
//
// change the below constants to match your local system
//
public const string WebHostName = “roadie”;
public const string SelfHostName = “roadie”;
public const string WebHostAppName = “/webapisecurity/api/”;
public const string SelfHostAppName = “/webapisecurity/api/”;
public const string WebHostBaseAddress =
“https:// “ + WebHostName + WebHostAppName;
public const string SelfHostBaseAddress =
“https:// “ + SelfHostName + SelfHostAppName;
I assume this is pretty self-explaining. Adjust your hostname here, and the virtual path. I recommend you simply use webapisecurity just as I did.
leastprivilege.com 
Is it possible to return additional information after a successful authentication? Currently, what’s being returned are the following: access_token and expires_in. Since the CreateSessionTokenResponse is accepting a ClaimsPrincipal and I can add my desired information there, is it okay to pass it back to the calling code? Or it’s just not the way it should work?
Ah I got it, but thanks anyway.
Hi There, I downloaded the samples and I think I followed the correct instructions but it just doesn’t seem to want to work. For example in the BasicAuth sample, it is doing this, var response = client.GetAsync(“identity”).Result; But there is no identity in WebHost, are am I missing something? It appears that the WebHost is just a MVC app and not a web api app. So the samples are pointing to the WebHost directory which I set on IIS but this directory seems to only be a MVC web app rather than implementing Asp.net web api. Any ideas?
Hm – this problem occurred more than once now…
The identity controller is in the Common assembly (under resources).
Have you checked out the complete IdentityModel 45 repo? Have you tried compiling the identity model solution first?
Thanks for the quick reply. No I downloaded the ZIP from github. But I did build each project separately. I will clone the repo and build everything from scratch. Thanks.
just one step away from getting the oauth2 codeflow example working end to end with latest source for identitymodel and identityserver..
the client talks to idsrv fine, when ‘call service’ is clicked i get a 404.
the common assembly is compiled and referenced by webhost but /identity throws 404 and i don’t see anywhere in the webhost code where the identity handler is being registered.
In WebApiConfig.cs there is the standard web api route.
but i do see that Thinktecture.IdentityModel.45 / Samples / Web API (InAppWindows) / WebApiInAppWindows configures the api identity endpoint but this seems to be old code. any guidance?
This is not old code – just a different sample
All fixed, thanks. All seems to be working now.
Any idea what made it work? ;)
Hi i hosted the WebHost in the same way as you explained in the IIS
https://localhost/WebApiSecurity/
by browsing this site from the inetmgr i am able to see the page.
In the PortableCommon.Constants i change the settings like
WebHostName = “localhost”;
SelfHostName = “localhost”;
WebHostAppName = “/WebApiSecurity/”;
SelfHostAppName = “/WebApiSecurity/”;
Can you please tell me where i am doing wrong because i am getting Aggregate Exception was unhandled error.
Hi, when I start the Web API Security solution in VS 2012 a pop up window appears saying: “Configuration Web https://localhost:44303/ for ASP.NET 4.5 failed. You must manually configure this site for ASP.NET 4.5 in order for the site to run correctly…” it also asks to set “https://localhost:44303/” on local machine?
Actually, for some reason the Thinktecture.IdentityModel project did not load the System.IdentityModel.Tokens.Jwt.dll included in the packages. I added the reference manually and all errors went away. I’ll go from here, thanks.
Just starting out with this… do these sample need to be updated, or is there another branch?
I cloned the repo, got a ton of errors. Lots of references weren’t loaded.
I tried to update all the packages, and then got “10 conflicts between different versions of the same dependent assembly” and a bunch of other errors, even just trying to build Thinktecture.IdentityModel.45 by itself.
a) JwtConstants is ambiguous between Sytem.IdentityModel.Tokens.JwtConstants and Thinktecture.IdentityModel.Constans.JwtConstants (i arbitrarily used Thinktecture)
b) AllowedAudience and SigningToken are not valid members of System.IdentityModel.TOkens.TokenValidationParameters
c) no overload for method ‘ValidateToken’ takes 2 arguments.
there are a couple of others, but thes were the most prominent.
thanks
Yes – later updates to some of the libraries broke the sample (not if you would stay with exactly the version numbers in packages.config).
The latest incarnation of that sample is here:
https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Clients