API end point returning “Authorization has been denied for this request.” when sending bearer token

Question

I\'ve followed a tutorial to protect a Web API with OAuth in C#.

I\'m doing some tests and so far I\'ve been able to get the access token successfully from /token

Answer 1

Issue is pretty simple: Change order of your OWIN pipeline.

public void Configuration(IAppBuilder app)
{
    ConfigureOAuth(app);
    var config = new HttpConfiguration();
    WebApiConfig.Register(config);
    app.UseWebApi(config);
}

For OWIN pipeline order of your configuration quite important. In your case, you try to use your Web API handler before the OAuth handler. Inside of it, you validate your request, found you secure action and try to validate it against current Owin.Context.User. At this point this user not exist because its set from the token with OAuth Handler which called later.

Answer 2

You have to add a claim with this schema:

http://schemas.microsoft.com/ws/2008/06/identity/claims/role

best thing to do is to use the pre-defined set of claims:

identity.AddClaim(new Claim(ClaimTypes.Role, "User"));

You can find ClaimTypes in System.Security.Claims.

Another thing you have to consider is filter roles in your Controller/Action:

[Authorize(Roles="User")]

You can find a simple sample app, self-hosted owin with a jquery client here.

Answer 3

Looks like the version of "System.IdentityModel.Tokens.Jwt" that co-exists with the other Owin assemblies is not proper.

In case you're using "Microsoft.Owin.Security.Jwt" version 2.1.0, you ought to be using the "System.IdentityModel.Tokens.Jwt" assembly of version 3.0.2.

From the package manager console, try:

Update-Package System.IdentityModel.Tokens.Jwt -Version 3.0.2