Owin-Authorization | Net core 's policy based authorization | Authorization library

I followed this article to get JWTs issued from .Net Web API http://bitoftech.net/2014/10/27/json-web-token-asp-net-web-api-2-jwt-owin-authorization-server/

TL;DR

How can I add additional logic to the Authorize attribute to check a database table against a specific claim within the JWT, perhaps within JwtBearerAuthenticationOptions?

Longer version...

It's working fine for generating the JWT and also validating it when firing a request against a controller including the Authorization header...

Basically, what the article doesn't go into is Revocation...

After a lot of googling I see there are several ways of handling Revocation with JWTs.

I have chosen the 'Whitelist' route and so have created a table to store the UserId, ClientId (Audience) and a column containing a JTI value (GUID).

Basically, I want to add additional logic to the [Authorize] attribute to also check this table for a matching JTI for the given User and ClientId...

Is this doable without having to write a custom 'JWTAuthorize' Attribute as I would quite like to use the default...

I suspect it's something that needs specifying within JwtBearerAuthenticationOptions?

Cheers!

I tried to implement OAuth2 authentication and authorization. I have an authorization server and a resource server. The client logs in to the authorization server (sends the username and password to the authorization server) and the authorization server returns an access_token. The client uses the access_token in order to ask for any resource with an [Authorize] tag from the resource_server.

The authentication part (sending credentials to the authorization server and getting back an access_token) works fine. I get a valid JWT token. The problem is that the resource server does not recognize the access_token. Everytime the client sends a request to get a resource that has an [Authorize] tag I get : '401 Unauthorized Authorization has been denied for this request'.

This is a list of things I tried/verified:

1. I checked for Microsoft.Owin.Security.OAuth to be the exact same version on both resource and authorization server (version 2.1.0)
2. I checked for the client_id and secret to be the exact same version on both resource and authorization server
3. I made sure that there is the exact same machine key on both resource and authorization server (same values in web.config files and in iis)
4. I checked for iis to have anonymous authentication enabled (and any other form of authentication disabled)
5. I have CORS enabled everywhere
6. The both servers are on the same machine.
7. I verified the request to the resource server and the token is sent in the Authorization header like this: Authorization:JWT eyJ0eXAiO.......JuRpuf6yWg
8. I sent the same request with postman, but I get the same response

My implementation is based on these two tutorials:

1. http://bitoftech.net/2014/09/24/decouple-owin-authorization-server-resource-server-oauth-2-0-web-api/
2. http://bitoftech.net/2014/10/27/json-web-token-asp-net-web-api-2-jwt-owin-authorization-server/

This is the Startup.cs class in my resource server: