The Katana Access Token Validation Middleware

Consuming IdentityServer access tokens in web APIs is easy - you simply drop in our token validation middleware into your Katana pipeline and set the URL to IdentityServer. All configuration and validation is done for you.

You can get the middleware here: nuget or source code.

High level features:

The typical use case is, that you provide the URL to IdentityServer and the scope name of the API:

public class Startup
    public void Configuration(IAppBuilder app)
        // turn off any default mapping on the JWT handler
        JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();

        app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
                Authority = "https://localhost:44333/core",
                RequiredScopes = new[] { "api1" }


The middleware will first inspect the token - if it is a JWT, token validation will be done locally (using the issuer name and key material found in the discovery document). If the token is a reference token, the middleware will use the access token validation endpoint on IdentityServer (or the introspection endpoint is credentials are configured).