you need a on perm oauth server. While no longer free you might be interested in identity server.
https://duendesoftware.com/products/identityserver
you can google for webapi jwt samples, but most are not very secure.
OAuth implementation in web api
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 17%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E9%3C/text%3E%3C/svg%3E)
90036475
0
Reputation points
Hi Community members,
How can I create oauth in web api where validation is not in cloud
Developer technologies | ASP.NET | ASP.NET API
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2025-03-07T03:46:30.2266667+00:00 Hi @90036475,
In what type of project do you want to implement this requirement? Does this document provide any direction: Secure a Web API with Individual Accounts and Local Login in ASP.NET Web API 2.2?
Sign in to comment
2 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Bruce (SqlWork.com) 79,106 Reputation points Volunteer Moderator2025-03-06T16:34:06.73+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 98%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERH%3C/text%3E%3C/svg%3E)
Raymond Huynh (WICLOUD CORPORATION) 620 Reputation points Microsoft External Staff2025-07-21T10:06:40.09+00:00 Hello,
To implement a self-hosted OAuth solution for your Web API, you need to create your own central identity provider. This server will handle user logins and issue security tokens that your API will trust.
The professional standard for building this in .NET is Duende IdentityServer. It's a security-hardened framework that correctly implements the necessary protocols (OAuth 2.0 and OpenID Connect), saving you from the extreme risk of trying to build it yourself.
Here’s a breakdown of the architecture:
1. The IdentityServer Project
This is a dedicated ASP.NET Core application you create. Its responsibilities are:
- User Authentication: It hosts the login, registration, and logout pages. It connects to your user database (typically using ASP.NET Core Identity).
- Token Issuance: After a user successfully logs in, it creates and signs a secure JSON Web Token (JWT).
- Client & API Configuration: You define which client applications are allowed to request tokens and which APIs are protected.
2. The Web API Project (Your "Resource Server")
This is your existing API. You add and configure authentication middleware:
- Token Validation: It inspects the JWT on every incoming request to ensure it was issued by your IdentityServer and hasn't expired.
- Authorization: The
[Authorize]attribute on your controllers or endpoints will grant or deny access based on the validated token. Your API doesn't need to know the user's password; it just needs to trust the token.
3. The Client Project (e.g., a Web App, SPA, or Mobile App)
This is the user-facing application:
- Login Redirection: When a user needs to access a protected resource, the client redirects them to your IdentityServer's login page.
- Token Handling: After a successful login, the IdentityServer redirects the user back to the client, providing the JWT.
- API Requests: The client stores this token and includes it in the Authorization header of every request it makes to your Web API.
This setup decouples authentication from your APIs, creating a more secure and maintainable system. To get started, you would follow the Duende IdentityServer quick-start guides to build the IdentityServer project first, then configure your API to use it.
Hope this helps!
-
Raymond Huynh (WICLOUD CORPORATION) 620 Reputation points Microsoft External Staff
2025-07-24T10:50:03.9266667+00:00 Please let me know if you need any help!
-
Raymond Huynh (WICLOUD CORPORATION) 620 Reputation points Microsoft External Staff
2025-07-31T10:29:29.1766667+00:00 Hi,
Just checking in. I haven’t heard back from you for a while, I hope everything works out as you expected. I understand things can get busy or priorities may shift.
If you’re still experiencing the issue or need further support, feel free to jump back in at any time. I will always be here and happy to help.
Wishing you all the best with your work!
-
Raymond Huynh (WICLOUD CORPORATION) 620 Reputation points Microsoft External Staff
2025-08-13T04:18:03.0833333+00:00 Hi 90036475,
If you find this solution helpful, feel free to interact with system accordingly!
Sign in to comment