This article demonstrates how to set up a Web API 2 excel file download using OAuth2 Implicit Flow. The application requires an Authorization Server and Identity Server V2 from Thinkteckture and also the excel Media Formatter from WebApiContrib. leastprivilege.com provided a lot of blogs which helped complete this article. Thanks for those blogs. The article should help as a simple Howto for this scenario.
Code: https://github.com/damienbod/ExcelFileExportWithOAuth2ImplicitFlow
OAuth2 Implicit Flow
The application uses the OAuth2 Implicit flow. This flow is defined here:
http://tools.ietf.org/id/draft-ietf-oauth-v2-31.html#rfc.section.4.2
Resource Server
The resource server is a simple MVC application which hosts a Web API 2 service. The api has one single method for exporting excel data. This export uses the WebApiContrib.Formatting.Xlsx library from Jordan Gray. The api method forces that excel is always returned no matter what is set in the Accept Header. This is not usually good practice as the client should decide in which format…
View original post 743 more words
leastprivilege.com 
Dominick,
I saw this post and have watched the API Security on PluralSight. I am wondering however what the right way to handle things such as report PDF and images in javascript? I consider adding the token to the GET a bad idea in general. I’m thinking this is more of a hybrid solution to get a new access token back with scope set for the resource but i almost want to include claims for the resource itself too. Then that gets passed to the url. What are your thoughts on this?
You could embed your own mini token issuer for your resources – and scoped, short/long lived access token that you can send along (either via a header or a query string) from the client.