Protecting Web API 2.2 with IdentityServer4

Question

I have Web API 2.2 which uses .Net 4.5.2 framework which is being used by angular2 application and there is existing IdentityServer4 implementation. I want to protect my Web API using IdentityServer4. My question is can I protect Web API 2.2 using IdentityServer4? If yes then I have two follow up questions

1. Should I use IdentityServer3.AccessTokenValidation nuget package or I will have to use IdentityServer4.AccessTokenValidation? (I tried using IdentityServer4.AccessTokenValidation package however its adding many dependencies related to ASP.Net Core)
2. What should be value of Authority URL I will have to use?

I could find many examples where IdentityServer4 is being used to protect ASP.Net Core Web APIs. However couldn't find good example where Web API 2.2 protected using IdentityServer4. If possible please point me to good example of identityserver configuration that is required on Web API side.

Answer 1

After 2017 IdentityServer3.AccessTokenValidation stays frozen while Microsoft refactored their Owin and Identity libs, so the preferred solution for ASP.NET 4.6+ becomes IdentityServer3.Contrib.AccessTokenValidation -- a fork, refactored according to the recent framework changes.

Answer 2

To answer your questions:

1) Your WebApi 2.2 project is undoubtedly using OWIN/Katana from ASP.NET 4.x which means you should to use IdentityServer3.AccessTokenValidation. IdentityServer4.AccessTokenValidation is compatible with the new ASP.NET MVC Core pipeline.

2) You can get your authority by going to your identity providers discovery document at {IdentityUrl}/.well-known/openid-configuration. The authority should be the same one as the "issuer" value in the discovery document. You can also get the authority by looking at a JWT issued by your identity provider by looking at the "iss" claim.