Authorize WebAPI's on multiple machines using a SSO via Code

Question

I have a Web API project which provides the access to only Authorized users based on roles. We plan to scale to multiple such API projects in the near future which will use the same Authorization token. What I am doing is using a separate project which authenticates the user (using Facebook, Google or ActiveDirectory or any other authentication provider), and then generate an Authorization token which is consumed by all the API servers. To enable decryption of the token, I am sharing the machine key via web.config among all the application. This works fine. Now I would like to change the MachineKey every once in a while and share it among all the applications that utilize the Authorization token.

1. How do I update the machineKey at run time among all the applications?
2. Is there a programmatic way to achieve the same?
3. I have read in a blog that updating machineKey's is not a good practice. If so, how do I avoid using the machine key altogether and create a system where the key's are not static?

My idea is to separate out the Authorization project from my WebAPI projects so that I don't implement and authentication system within all the WebAPI projects. Any pointers would be very helpful.

Answer 1

Extended the implementation shown on the following stackoverflow answer to meet your requirements. I will update the code in a couple of days on how you can achieve this.