Access token validation with legacy IIS hosted web API

[akshetty9]

Question : Is there a way to use this middleware with legacy IIS hosted, non owin style api? I need to handle both JWT and reference token. So trying to find out if we can re use this before writing custom code

[cormacrelf]

This is mainly a wrapper library. It does little except run requests through other middlewares.

To do this with legacy ASP.NET, you could try using an HttpModule that verifies JWTs in your Authorization headers: https://weblogs.asp.net/imranbaloch/aspnet-webforms-identityserver3

And then, in that module, replicate the JWT vs access token logic (ie token.Contains(".")) and either verifying it using plain System.IdentityModel.Tokens.Jwt as in that example, or doing the same thing that the ASP.NET Core OAuth2Introspection middleware does. Basically rewrite this code as an HttpModule without the ASP.NET Core stuff. You could use a System.Runtime.MemoryCache and you'd be halfway there.

If you really wanted to save yourself the effort, you would probably just relax the requirement for reference tokens and use plain JWTs. If the reference token requirement comes from a different part of your application, use reference tokens there, and request a plain token from IdentityServer for when you need to access legacy code.

[leastprivilege]

In Pre-OWIN you would write an HttpModule. You could use the JwtSecurityTokenHandler library from MS in there - but this has a .NET 4.5 miminum requirement.