May 31, 2017
(3 votes)

Securing Web API Endpoints with Owin + Oauth 2.0, Part II

To recap Part I of this series, I showed you how you can configure ASP.NET Identity and Owin/Oauth to authenticate/authorize your Web API endpoints. Now, let's say you don't want to maintain different sets of user name/password combinations in a separate data store. Instead, ideally, you would like to maintain this information in Azure Active Directory Domain Services. If this is you, you're in luck. Here's another step-by-step guide on how I configured Azure AD with OWIN inside of Episerver. This set up assumes you are making server-server authentication calls. Disclaimer: I ran this POC on Episerver 10.8.0, so later versions should work with this configuration. Unfortunately, I'm not sure if earlier versions will be compatible:

  1. First, you will need to ensure Azure Active Directory is enabled in your subscription. Here's a link on how to do this.
  2. Next, you will need to create 2 apps, one for the Web API and one for the client. Here's a link on how to do this. You can follow steps 1 & 3 in the link (I will explain step 2 from the link next).
  3. Next, you will need to modify the Startup.cs file to use Azure Active Directory as the Authentication provider. Below you will find the code. Essentially, the Windows Active Directory options (WindowsAzureActiveDirectoryBearerAuthenticationOptions) will look at the credentials passed in from the request and will respond back with an Oauth 2.0 token, if the credentials are correct. The options class will need to be initialized with the Web API App's App URI ID (Audience) and Active Directory Name (Tenant).
    public class Startup
            public void Configuration(IAppBuilder app)
                var config = new HttpConfiguration();
            private void ConfigureAzureADAuth(IAppBuilder app)
                    new WindowsAzureActiveDirectoryBearerAuthenticationOptions
                        Audience = ConfigurationManager.AppSettings["ida:Audience"],
                        Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
                        AuthenticationType = "OAuth2Bearer",
  4. Next, create a console application project and give it a name. This console application will be used as our client to test the configuration.
  5. Next, ensure that the Microsoft.IdentityModel.Clients.ActiveDirectory NuGet package is installed.
  6. In the Main method, add the following code from below:
    • The code first creates an authentication context to your Active Directory Domain. The pattern for the URL used is[Azure AD Domain Name].
    • Next, you will need to enter the client app's Application ID and Key of the client application created in Step 2 as ClientCredentials. The key will be created under Keys in the client application.
    • Next, you will need to acquire a token by sending the ClientCredentials to the Web API's App URI ID.
    • After you send the ClientCredentials to the Web API's App URI ID, Azure AD will send you back an Oauth 2.0 Bearer token to use. Now, you can call the GetListOfNumbers endpoint with that token.
      • Code
        class Program
                static void Main(string[] args)
                static void ADAzureAuthStuff()
                    AuthenticationContext ac =
                        new AuthenticationContext("[Azure AD Domain Name goes here]"); //Leaf node is Azure AD Domain name
                    var clientCredentials = new ClientCredential("[Client Application ID goes here", "[Client Application Key goes here]"); //first parameter: Application ID, //Second Parameter is a key configured in the client application
                    AuthenticationResult ar =
                        ac.AcquireTokenAsync("[Web API App's App URI ID goes here]", //This parameter is the Web API App's Application ID URI
                    string result = string.Empty;
                    HttpClient httpClient = new HttpClient();
                    httpClient.DefaultRequestHeaders.Authorization =
                        new AuthenticationHeaderValue("Bearer", ar.AccessToken);
                    HttpResponseMessage response =
                    if (response.IsSuccessStatusCode)
                        result = response.Content.ReadAsStringAsync().Result;
      • Screenshots of running code

        Token after targeting my Active Directory Domain and sending ClientCredentials to the Web API App's Applicaton ID URI

        Success Status


There you have it - you now have two different ways on how to secure your Web API endpoints using OWIN, at least in a server-server authentication capacity. I'm sure you are wondering - well, can I use OWIN to handle my authentication for content editors/admins and customers? Of course you can! Here are some Episerver documentation on how to do this:

From there, you can definitely mix and match how you want users to authenticate to your Episerver's back-end, customer portal, and Web API endpoints.

Happy coding!

May 31, 2017


Please login to comment.
Latest blogs
The 1001st Piece in your 1000 Piece Puzzle: .NET Default Interface Functions

I was recently working with a client who wanted a reasonably large subsystem added to Optimizely that would add automated management to their...

Greg J | Nov 28, 2022 | Syndicated blog

Video Demonstration, creating a CMS12 Alloy Sample Site

Hey All Below you will find a quick video demonstration on how to install a local version of Alloy Sample based on CMS12 / .Net 6. As you will see ...

Minesh Shah (Netcel) | Nov 28, 2022

How to create an admin user I Optimizely CMS – with Episerver CLI

In this blog post I’ll show how to create an admin user for Optimizely CMS in a new environment where you don’t have access to the admin interface.

Ove Lartelius | Nov 28, 2022 | Syndicated blog

Optimizely shortcuts in CMS 12 will get a trailing slash appended!

Not all URLs will work when the trailing slash is added, and that could cause problems. Hopefully it will be fixed soon.

Tomas Hensrud Gulla | Nov 26, 2022 | Syndicated blog