Try our conversational search powered by Generative AI!

May 31, 2017
(3 votes)

Securing Web API Endpoints with Owin + Oauth 2.0, Part II

To recap Part I of this series, I showed you how you can configure ASP.NET Identity and Owin/Oauth to authenticate/authorize your Web API endpoints. Now, let's say you don't want to maintain different sets of user name/password combinations in a separate data store. Instead, ideally, you would like to maintain this information in Azure Active Directory Domain Services. If this is you, you're in luck. Here's another step-by-step guide on how I configured Azure AD with OWIN inside of Episerver. This set up assumes you are making server-server authentication calls. Disclaimer: I ran this POC on Episerver 10.8.0, so later versions should work with this configuration. Unfortunately, I'm not sure if earlier versions will be compatible:

  1. First, you will need to ensure Azure Active Directory is enabled in your subscription. Here's a link on how to do this.
  2. Next, you will need to create 2 apps, one for the Web API and one for the client. Here's a link on how to do this. You can follow steps 1 & 3 in the link (I will explain step 2 from the link next).
  3. Next, you will need to modify the Startup.cs file to use Azure Active Directory as the Authentication provider. Below you will find the code. Essentially, the Windows Active Directory options (WindowsAzureActiveDirectoryBearerAuthenticationOptions) will look at the credentials passed in from the request and will respond back with an Oauth 2.0 token, if the credentials are correct. The options class will need to be initialized with the Web API App's App URI ID (Audience) and Active Directory Name (Tenant).
    public class Startup
            public void Configuration(IAppBuilder app)
                var config = new HttpConfiguration();
            private void ConfigureAzureADAuth(IAppBuilder app)
                    new WindowsAzureActiveDirectoryBearerAuthenticationOptions
                        Audience = ConfigurationManager.AppSettings["ida:Audience"],
                        Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
                        AuthenticationType = "OAuth2Bearer",
  4. Next, create a console application project and give it a name. This console application will be used as our client to test the configuration.
  5. Next, ensure that the Microsoft.IdentityModel.Clients.ActiveDirectory NuGet package is installed.
  6. In the Main method, add the following code from below:
    • The code first creates an authentication context to your Active Directory Domain. The pattern for the URL used is[Azure AD Domain Name].
    • Next, you will need to enter the client app's Application ID and Key of the client application created in Step 2 as ClientCredentials. The key will be created under Keys in the client application.
    • Next, you will need to acquire a token by sending the ClientCredentials to the Web API's App URI ID.
    • After you send the ClientCredentials to the Web API's App URI ID, Azure AD will send you back an Oauth 2.0 Bearer token to use. Now, you can call the GetListOfNumbers endpoint with that token.
      • Code
        class Program
                static void Main(string[] args)
                static void ADAzureAuthStuff()
                    AuthenticationContext ac =
                        new AuthenticationContext("[Azure AD Domain Name goes here]"); //Leaf node is Azure AD Domain name
                    var clientCredentials = new ClientCredential("[Client Application ID goes here", "[Client Application Key goes here]"); //first parameter: Application ID, //Second Parameter is a key configured in the client application
                    AuthenticationResult ar =
                        ac.AcquireTokenAsync("[Web API App's App URI ID goes here]", //This parameter is the Web API App's Application ID URI
                    string result = string.Empty;
                    HttpClient httpClient = new HttpClient();
                    httpClient.DefaultRequestHeaders.Authorization =
                        new AuthenticationHeaderValue("Bearer", ar.AccessToken);
                    HttpResponseMessage response =
                    if (response.IsSuccessStatusCode)
                        result = response.Content.ReadAsStringAsync().Result;
      • Screenshots of running code

        Token after targeting my Active Directory Domain and sending ClientCredentials to the Web API App's Applicaton ID URI

        Success Status


There you have it - you now have two different ways on how to secure your Web API endpoints using OWIN, at least in a server-server authentication capacity. I'm sure you are wondering - well, can I use OWIN to handle my authentication for content editors/admins and customers? Of course you can! Here are some Episerver documentation on how to do this:

From there, you can definitely mix and match how you want users to authenticate to your Episerver's back-end, customer portal, and Web API endpoints.

Happy coding!

May 31, 2017


Please login to comment.
Latest blogs
From Procrastination to Proficiency: Navigating Your Journey to Web Experimentation Certification

Hey there, Optimizely enthusiasts!   Join me in celebrating a milestone – I'm officially a certified web experimentation expert! It's an exhilarati...

Silvio Pacitto | May 17, 2024

GPT-4o Now Available for Optimizely via the AI-Assistant plugin!

I am excited to announce that GPT-4o is now available for Optimizely users through the Epicweb AI-Assistant integration. This means you can leverag...

Luc Gosso (MVP) | May 17, 2024 | Syndicated blog

The downside of being too fast

Today when I was tracking down some changes, I came across this commit comment Who wrote this? Me, almost 5 years ago. I did have a chuckle in my...

Quan Mai | May 17, 2024 | Syndicated blog

Optimizely Forms: Safeguarding Your Data

With the rise of cyber threats and privacy concerns, safeguarding sensitive information has become a top priority for businesses across all...

K Khan | May 16, 2024

The Experimentation Process

This blog is part of the series -   Unlocking the Power of Experimentation: A Marketer's Insight. Welcome back, to another insightful journey into...

Holly Quilter | May 16, 2024

Azure AI Language – Sentiment Analysis in Optimizely CMS

In the following article, I showcase how sentiment analysis, which is part of the Azure AI Language service, can be used to detect the sentiment of...

Anil Patel | May 15, 2024 | Syndicated blog