Using AuthorizationServer with Web API v2/Katana–first look

Traditionally we have used Thinktecture.IdentityModel to parse and validate incoming JWT tokens in Web API. The good news is, there is nothing you have to change when moving to Web API v2 – the delegating handler approach, and thus IdentityModel are totally supported in v2.

If you want to move to OWIN-based hosting and Katana, you have to exchange our AuthenticationHandler with the new JWT middleware, e.g. like this:

app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions


    AllowedAudiences = new[] { Constants.Audience },

    IssuerSecurityTokenProviders =
      new[] { new SymmetricKeyIssuerSecurityTokenProvider(


                Constants.AS.SigningKey) }


…and voila.

The above is not exactly the most brilliant looking API in the world, is it? (speaking the native tongue of the dev :p)…compared to IdentityModel (at least for the simple cases):


    issuer: Constants.AS.IssuerName,   


..But we are getting there…stay tuned…

(full sample is here)

This entry was posted in ASP.NET, AuthorizationServer, IdentityModel, Katana, OAuth, WebAPI. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s