ASP.NET Web API Security: Setting up the Sample

You can download the complete source from here. The Web API security sample is in samples/web api security.

On my machine I have mapped the samples/web api security/webhost directory to IIS. I am sure you can use IIS Express as well, but ultimately I find it easier to use IIS (especially combined with SSL). Once you have that mapping in place, set the start URL in Visual Studio and you should be able to simply F5 the MVC project in Visual Studio.

In the login screen, you can use whatever username you like, just use a password that equals the username.


As you can see on the screenshot, I use SSL. This is not a strict requirement, but I only tested the SSL case.

To use the various clients, you also need to adjust some values in the Constants.cs in the PortableCommon project:


// change the below constants to match your local system



public const string WebHostName = “roadie”;

public const string SelfHostName = “roadie”;


public const string WebHostAppName = “/webapisecurity/api/”;

public const string SelfHostAppName = “/webapisecurity/api/”;


public const string WebHostBaseAddress =
“https:// “
+ WebHostName + WebHostAppName;

public const string SelfHostBaseAddress =
“https:// “
+ SelfHostName + SelfHostAppName;

I assume this is pretty self-explaining. Adjust your hostname here, and the virtual path. I recommend you simply use webapisecurity just as I did.

This entry was posted in IdentityModel, WebAPI. Bookmark the permalink.

16 Responses to ASP.NET Web API Security: Setting up the Sample

  1. Is it possible to return additional information after a successful authentication? Currently, what’s being returned are the following: access_token and expires_in. Since the CreateSessionTokenResponse is accepting a ClaimsPrincipal and I can add my desired information there, is it okay to pass it back to the calling code? Or it’s just not the way it should work?

  2. Ian says:

    Hi There, I downloaded the samples and I think I followed the correct instructions but it just doesn’t seem to want to work. For example in the BasicAuth sample, it is doing this, var response = client.GetAsync(“identity”).Result; But there is no identity in WebHost, are am I missing something? It appears that the WebHost is just a MVC app and not a web api app. So the samples are pointing to the WebHost directory which I set on IIS but this directory seems to only be a MVC web app rather than implementing web api. Any ideas?

    • Hm – this problem occurred more than once now…

      The identity controller is in the Common assembly (under resources).

      Have you checked out the complete IdentityModel 45 repo? Have you tried compiling the identity model solution first?

      • Ian Gregson says:

        Thanks for the quick reply. No I downloaded the ZIP from github. But I did build each project separately. I will clone the repo and build everything from scratch. Thanks.

      • Sky Sanders says:

        just one step away from getting the oauth2 codeflow example working end to end with latest source for identitymodel and identityserver..

        the client talks to idsrv fine, when ‘call service’ is clicked i get a 404.

        the common assembly is compiled and referenced by webhost but /identity throws 404 and i don’t see anywhere in the webhost code where the identity handler is being registered.

      • In WebApiConfig.cs there is the standard web api route.

      • Sky Sanders says:

        but i do see that Thinktecture.IdentityModel.45 / Samples / Web API (InAppWindows) / WebApiInAppWindows configures the api identity endpoint but this seems to be old code. any guidance?

      • This is not old code – just a different sample

  3. Ian Gregson says:

    All fixed, thanks. All seems to be working now.

  4. Any idea what made it work? ;)

  5. utsavsoftutsavvishnoi says:

    Hi i hosted the WebHost in the same way as you explained in the IIS
    by browsing this site from the inetmgr i am able to see the page.
    In the PortableCommon.Constants i change the settings like
    WebHostName = “localhost”;
    SelfHostName = “localhost”;
    WebHostAppName = “/WebApiSecurity/”;
    SelfHostAppName = “/WebApiSecurity/”;
    Can you please tell me where i am doing wrong because i am getting Aggregate Exception was unhandled error.

  6. bartek4c says:

    Hi, when I start the Web API Security solution in VS 2012 a pop up window appears saying: “Configuration Web https://localhost:44303/ for ASP.NET 4.5 failed. You must manually configure this site for ASP.NET 4.5 in order for the site to run correctly…” it also asks to set “https://localhost:44303/” on local machine?

  7. kris says:

    Actually, for some reason the Thinktecture.IdentityModel project did not load the System.IdentityModel.Tokens.Jwt.dll included in the packages. I added the reference manually and all errors went away. I’ll go from here, thanks.

  8. Just starting out with this… do these sample need to be updated, or is there another branch?
    I cloned the repo, got a ton of errors. Lots of references weren’t loaded.

    I tried to update all the packages, and then got “10 conflicts between different versions of the same dependent assembly” and a bunch of other errors, even just trying to build Thinktecture.IdentityModel.45 by itself.

    a) JwtConstants is ambiguous between Sytem.IdentityModel.Tokens.JwtConstants and Thinktecture.IdentityModel.Constans.JwtConstants (i arbitrarily used Thinktecture)

    b) AllowedAudience and SigningToken are not valid members of System.IdentityModel.TOkens.TokenValidationParameters

    c) no overload for method ‘ValidateToken’ takes 2 arguments.

    there are a couple of others, but thes were the most prominent.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s