NET; the reason for doing so that we’ll configure the server to issue OAuth bearer token authentication using Owin middleware too, so setting up everything on the same pipeline is better approach. NET Identity system which is built on top of Owin middleware and we’ll use it to register new users and validate their credentials before generating the tokens.As I mentioned before our back-end API should accept request coming from any origin, not only our front-end, so we’ll be enabling CORS (Cross Origin Resource Sharing) in Web API as well for the OAuth bearer token provider.Like everything else in git-flow, you don't have to use release branches if you don't want to.
In our case I’ve identified clients to two types (Java Script – Nonconfidential) and (Native-Confidential) which means that for confidential clients we can store the client secret in confidential way (valid for desktop apps, mobile apps, server side web apps) so any request coming from this client asking for access token should include the client id and secret.
You can check the demo application, play with the back-end API for learning purposes ( and check the source code on Github.
Before start into the implementation I would like to discuss when and how refresh tokens should be used, and what is the database structure needed to implement a complete solution.
In my own opinion there are three main benefits to use refresh tokens which they are: In order to use refresh tokens we need to bound the refresh token with a Client, a Client means the application the is attempting communicate with the back-end API, so you can think of it as the software which is used to obtain the token.
Each Client should have Client Id and Secret, usually we can obtain the Client Id/Secret once we register the application with the back-end API.