Remember:

• ASP.NET MVC 5 Web API ~ IdentityServer3, OWIN
• ASP.NET MVC 6 Web API ~ IdentityServer4

Database samples

Chinook is a good name choice for a database that intents to be an alternative to Northwind

Sample database for SQL Server, Oracle, MySQL, PostgreSQL, SQLite, DB2

Chinook Database

See also Chinook Database Schema

https://archive.codeplex.com/?p=chinookdatabase

Code Samples

https://www.codeproject.com/Articles/1163131/IdentityServer-WebAPI-MVC-ASP-NET-Identity-Specflo

https://github.com/IdentityModel/Thinktecture.IdentityModel/tree/master/samples/OWIN/ResourceAuthorization

https://leastprivilege.com/2014/06/24/resourceaction-based-authorization-for-owin-and-mvc-and-web-api/

https://leastprivilege.com/2014/02/14/workshop-identity-access-control-for-modern-web-applications-and-apis/

Security for ASP.NET MVC 5, WebForms and Web API 2.2

https://identityserver.github.io/Documentation/docsv2/overview/mvcGettingStarted.html

https://github.com/IdentityServer/IdentityServer3.Samples

https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Clients

https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/MVC%20Authentication

Protecting Web API 2.2 with IdentityServer4

https://stackoverflow.com/questions/41024075/protecting-web-api-2-2-with-identityserver4

I have Web API 2.2 which uses .Net 4.5.2 framework which is being used by angular2 application and there is existing IdentityServer4 implementation. I want to protect my Web API using IdentityServer4. My question is can I protect Web API 2.2 using IdentityServer4? If yes then I have two follow up questions

1. Should I use IdentityServer3.AccessTokenValidation nuget package or I will have to use IdentityServer4.AccessTokenValidation? (I tried using IdentityServer4.AccessTokenValidation package however its adding many dependencies related to ASP.Net Core)
2. What should be value of Authority URL I will have to use?

I could find many examples where IdentityServer4 is being used to protect ASP.Net Core Web APIs. However couldn't find good example where Web API 2.2 protected using IdentityServer4. If possible please point me to good example of identityserver configuration that is required on Web API side.

To answer your questions:

1) Your WebApi 2.2 project is undoubtedly using OWIN/Katana from ASP.NET 4.x which means you should to use IdentityServer3.AccessTokenValidation. IdentityServer4.AccessTokenValidation is compatible with the new ASP.NET MVC Core pipeline.

2) You can get your authority by going to your identity providers discovery document at {IdentityUrl}/.well-known/openid-configuration. The authority should be the same one as the "issuer" value in the discovery document. You can also get the authority by looking at a JWT issued by your identity provider by looking at the "iss" claim.