Owin OAuth localhost/Token returns 404

Question

Firstly, everything works when I run it from Visual Studio using iis express.

I have an Asp.Net Web Api running Owin OAuth. This is the configuration part of my Startup class:

private static void ConfigureAuth(IAppBuilder app)
{
    var oAuthOptions = new OAuthAuthorizationServerOptions
    {
    #if DEBUG
        AllowInsecureHttp = true,
    #endif
        TokenEndpointPath = new PathString("/Token"),
        AccessTokenExpireTimeSpan = TimeSpan.FromDays(30),
        Provider = new ApplicationOAuthProvider()
    };

    app.UseOAuthAuthorizationServer(oAuthOptions);
    app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
}

This is the Register part of my WebApiConfig.cs

public static void Register(HttpConfiguration config)
{
    // Web API configuration and services
    config.SuppressDefaultHostAuthentication();
    config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));

    var cors = new EnableCorsAttribute("*", "*", "*");
    config.EnableCors(cors);

    // Web API routes
    config.MapHttpAttributeRoutes();

    // OData
    var builder = new ODataConventionModelBuilder();
    builder.EntitySet<Employee>("Employee");
    config.MapODataServiceRoute(
        routeName: "ODataRoute",
        routePrefix: "odata/",
        model: builder.GetEdmModel()
    );

    config.Routes.MapHttpRoute(
        name: "DefaultApi",
        routeTemplate: "api/{controller}/{id}",
        defaults: new { id = RouteParameter.Optional }
    );
}

I have deployed this application on IIS version 8.5.* and everything works except the localhost/Token endpoint. It is a combined MVC + Web Api project.

I am using .NET v4.5 application pool (.NET CLR Version: 4.0) with integrated pipeline mode and Microsoft.Owin.Host.SystemWeb.dll is present in the bin folder.

Why do I get 404 when I make a request to the Token endpoint?

Answer 1

I had the same issue. Here is your problem:

#if DEBUG
    AllowInsecureHttp = true,
#endif

Locally (IISExpress), you're running a DEBUG build and your compiler directive sets the AllowInsecureHttp to true. This means you can ask a new OAuth token over both http and https.

Deploying to IIS means that you first do a RELEASE build. So the compiler directive omits the AllowInsecureHttp line. The property defaults to false, which means you can only get an OAuth token over https. If you try ask a token over http, the server will answer with a 404.

Answer 2

install Nuget package Microsoft.Owin.Host.SystemWeb because your handler are not registering.

if still not work then add the following handler in web.config file

  <add name="Owin" verb="" path="*" type="Microsoft.Owin.Host.SystemWeb.OwinHttpHandler, Microsoft.Owin.Host.SystemWeb"/>


</handlers>