I have the usual OWIN OAuth setting for my MVC WebAPI project - one of the requests from the web interface developers was to determine if the token was rejected because it expired or when it was just an invalid token.
From what I can tell, by default, OAuthAuthorizationServerProvider is in the middle and magically intercepts requests, looking at the authorization header for the carrier token, and determines whether to authorize or send 401 / Authorization was rejected for this request.
Is it possible to configure this behavior / is there another way to determine the reason for the denial of authorization?
I see that the following method exists:
public virtual Task ValidateAuthorizeRequest(OAuthValidateAuthorizeRequestContext context);
But I'm not sure if the default implementation is what it looks like, or should I go there to configure the provider to achieve what I need.
My OAuthOptions in Startup.cs:
OAuthOptions = new OAuthAuthorizationServerOptions { TokenEndpointPath = new PathString("/Token"), Provider = new ApplicationOAuthProvider(PublicClientId, UserManagerFactory), AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"), AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(60), AllowInsecureHttp = true };
source share