Passing and verifying the OWIN Bearer token in Query String in WebAPI

Question

Short Version: I need to pass and verify the OWIN bearing token as a query parameter rather than in the request header.

How do I then get the method to authorized based on that token string?

Background: I want to call a webapi method to download a file as a stream (and never want the user to download it from a known file location).

I can't get this to work if I also need to set a custom Request header i.e. the bearer token.

I should be able to pass the token in the query string - but don't know how to get that token to then authenticate the user.

Do I need to filter? Do I need a special claim etc? Does the webapi method need to include "access_token" as one of the function parameters?

Dunc Dunc · Accepted Answer · 2014-08-27T11:02:33

For completeness, here's another neat solution.

Extract:

app.Use(async (context, next) =>
{
    if (context.Request.QueryString.HasValue)
    {
        if (string.IsNullOrWhiteSpace(context.Request.Headers.Get("Authorization")))
        {
            var queryString = HttpUtility.ParseQueryString(context.Request.QueryString.Value);
            string token = queryString.Get("access_token");

            if (!string.IsNullOrWhiteSpace(token))
            {
                context.Request.Headers.Add("Authorization", new[] { string.Format("Bearer {0}", token) });
            }
        }
    }

    await next.Invoke();
});

Passing and verifying the OWIN Bearer token in Query String in WebAPI

3 Answers