I have reading and reading for months on all of this and for some reason, it's just not clicking. I have a RESTful web API written in .NET living at api.domain.com and the site, domain.com is an AngularJS SPA app.
If there is no access_token on the client (localStorage), I redirect the user to Google to authenticate via OAuth 2 and they are redirected back to a callback page where I write the access_token to local storage.
What I'm struggling with now is, when I make a call to the API and send that Bearer token, how do I get my API to recognize it and authenticate the user so that I can call Authorized methods?
I think I'm running in circles here and just need some solid direction.
Authentication Endpoint: https://accounts.google.com/o/oauth2/v2/auth
Scopes: openid profile email
Redirect (for now): http://localhost/callback.html
Web API: http://api.domain.com
Flow: Implicit Flow
SPA: http://localhost
Token Validation URI: https://www.googleapis.com/oauth2/v3/tokeninfo
User comes into http://localhost, angular app checks for access_token in local storage. If one is detected, it makes a call to token validation URI to ensure that it is valid and not expired. In angular, via http interceptor, any request that goes out that's URI is to the Web API, it sets the access_token as a bearer token on the authorization header.
What I expect to happen at this point is that any API methods I have marked as Authorize, it will now allow through with the User.Identity object now hydrated and return a 200.
This wonderful presentation located here.
And this awesome article located here.
http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
Paired with his most excellent sample implementation located here.
https://github.com/tjoudeh/AngularJSAuthentication
After one of the longest research efforts in my 17 year career, I found the one guy who put it all together.