ASP.NET Web Api: How to pass an access token (oAuth 2.0) using URL parameter?

Well - I agree that the header is a much better alternative - but there are of course situations where the query string is needed. The OAuth2 spec defines it as well.

Anyways - this feature is built into the Katana OAuth2 middleware:

http://leastprivilege.com/2013/10/31/retrieving-bearer-tokens-from-alternative-locations-in-katanaowin/

public class QueryStringOAuthBearerProvider : OAuthBearerAuthenticationProvider{    readonly string _name;    public QueryStringOAuthBearerProvider(string name)    {        _name = name;    }    public override Task RequestToken(OAuthRequestTokenContext context)    {        var value = context.Request.Query.Get(_name);        if (!string.IsNullOrEmpty(value))        {            context.Token = value;        }        return Task.FromResult<object>(null);    }}

And then:

var options = new JwtBearerAuthenticationOptions{    AllowedAudiences = new[] { audience },    IssuerSecurityTokenProviders = new[]        {            new SymmetricKeyIssuerSecurityTokenProvider(                issuer,                signingKey)        },    Provider = new QueryStringOAuthBearerProvider(“access_token”)};

So, go to Global.asax and add this method:

        void Application_BeginRequest(object sender, EventArgs e)        {            if (ReferenceEquals(null, HttpContext.Current.Request.Headers["Authorization"]))            {                var token = HttpContext.Current.Request.Params["access_token"];                if (!String.IsNullOrEmpty(token))                {                    HttpContext.Current.Request.Headers.Add("Authorization", "Bearer " + token);                }            }        }

UPDATE:Check out @leastprivilege answer. Much better solution.

This is a terrible idea because the token is not protected in the query string. It is encrypted in the header with SSL.