app.UseOAuthBearerTokens with ASP.NET Identity 2.0's DbContext middleware?

Question

Edit: After progressing, I can narrow the scope of the question:

What changes should be made to startup.auth.cs and ApplicationOAuthProvider.cs in the VS2013 SPA templat

Answer 1

The following is just the code from the SPA template with the provider for UserManager replaced with the stuff introduced in 2.0 Identity.

OAuthOptions = new OAuthAuthorizationServerOptions
            {
                TokenEndpointPath = new PathString("/Token"),
                Provider = new ApplicationOAuthProvider(PublicClientId, () => HttpContext.Current.GetOwinContext().Get<ApplicationUserManager>()),
                AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
                AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
                AllowInsecureHttp = false
            };

Here is also a Generic ApplicationOauthProvider you can use: https://gist.github.com/s093294/9076631 (due note I haven't tested it and just put it together for you)

Example if you have:

app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);

you can do

        OAuthOptions = new OAuthAuthorizationServerOptions
        {
            TokenEndpointPath = new PathString("/Token"),
            Provider = new ApplicationOAuthProvider<ApplicationUserManager,ApplicationUser,Guid>(PublicClientId),
            AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
            AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
            AllowInsecureHttp = false
        };

Answer 2

If you are looking how to implement Bearer tokens for WEBAPI and MVC Cookie authentication then check out this article:

ASP.NET Identity 2.0 Cookie & Token Authentication including a sample project.

Simply put, this solution uses the OWIN Middleware components UseOAuthBearerAuthentication and UseCookieAuthentication (I know Cookie auth is not part of the question but very relevant regarding MVC projects) to support browser based authentication and WEBAPI request authentication via Cookies and Tokens, respectively.

Startup.Auth.cs

OAuthBearerOptions = new OAuthBearerAuthenticationOptions();

//This will used the HTTP header: "Authorization" Value: "Bearer 1234123412341234asdfasdfasdfasdf"
app.UseOAuthBearerAuthentication(OAuthBearerOptions);
// Enable the application to use a cookie to store information for the signed in user
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Account/Login")
}); 

HostAuthenticationFilter represents an authentication filter that authenticates via OWIN middleware:

WebApiConfig.cs

config.SuppressDefaultHostAuthentication();
//This will used the HTTP header: "Authorization" Value: "Bearer 1234123412341234asdfasdfasdfasdf"
config.Filters.Add(new HostAuthenticationFilter("Bearer"));

To Generate a Token:

var identity = new ClaimsIdentity(Startup.OAuthBearerOptions.AuthenticationType);
identity.AddClaim(new Claim(ClaimTypes.Name, user));
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, userIdentity.Id));
AuthenticationTicket ticket = new AuthenticationTicket(identity, new AuthenticationProperties());
var currentUtc = new SystemClock().UtcNow;
ticket.Properties.IssuedUtc = currentUtc;
ticket.Properties.ExpiresUtc = currentUtc.Add(TimeSpan.FromMinutes(30));
string AccessToken = Startup.OAuthBearerOptions.AccessTokenFormat.Protect(ticket);
return AccessToken;