OAuth Calling TokenEndpointPath causes controller not found for path

The following is a guide and built-in token authentication. It works fine in debug mode, but in release mode, calling TokenEndpointPath results in

The controller for the path '/ bps / oauth / token' was not found or IController is not deploying.

The URI has the / bps / part because of the WebBaseUri in the Web.config file.

<appSettings> <add key="WebBaseUrl" value="/bps/" /> <add key="WebApiBaseUrl" value="/api/" /> <add key="owin:AutomaticAppStartup" value="true" /> <add key="LoginErrorMessage" value="Login or email is wrong" /> 

The launch class is as follows:

  public class Startup { public void Configuration(IAppBuilder app) { app.Use<OwinExceptionHandlerMiddleware>(); var container = new WindsorContainer().Install(new WindsorInstaller()); container.Register(Component.For<IAppBuilder>().Instance(app)); var httpDependencyResolver = new WindsorHttpDependencyResolver(container); HttpConfiguration config = new HttpConfiguration(); config.MapHttpAttributeRoutes(); config.DependencyResolver = httpDependencyResolver; app.CreatePerOwinContext(() => container.Resolve<ApplicationUserManager>()); GlobalConfiguration.Configuration.Services.Replace(typeof(IHttpControllerActivator), new WindsorControllerActivator(container)); ConfigureOAuthTokenGeneration(app, container); ConfigureOAuthTokenConsumption(app); app.UseWebApi(config); } private void ConfigureOAuthTokenGeneration(IAppBuilder app, IWindsorContainer container) { var OAuthServerOptions = new OAuthAuthorizationServerOptions { //For Dev enviroment only (on production should be AllowInsecureHttp = false) AllowInsecureHttp = true, TokenEndpointPath = new PathString("/oauth/token"), AccessTokenExpireTimeSpan = TimeSpan.FromDays(1), Provider = container.Resolve<IOAuthAuthorizationServerProvider>(), AccessTokenFormat = container.Resolve<CustomJwtFormat>(), }; app.UseOAuthAuthorizationServer(OAuthServerOptions); } private void ConfigureOAuthTokenConsumption(IAppBuilder app) { var issuer = ConfigurationManager.AppSettings["ServerAddress"]; string audienceId = ConfigurationManager.AppSettings["AudienceId"]; byte[] audienceSecret = TextEncodings.Base64Url.Decode(ConfigurationManager.AppSettings["AudienceSecret"]); // Api controllers with an [Authorize] attribute will be validated with JWT app.UseJwtBearerAuthentication( new JwtBearerAuthenticationOptions { AuthenticationMode = AuthenticationMode.Active, AllowedAudiences = new[] { audienceId }, IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[] { new SymmetricKeyIssuerSecurityTokenProvider(issuer, audienceSecret) } }); } } 

This is an implementation of IOAuthAuthorizationServerProvider, which is allowed for the Provider property:

  public class OAuthService : OAuthAuthorizationServerProvider { private readonly IApplicationUserService _userService; private readonly ICredentialsValidatior _credentialsValidatior; public OAuthService(IApplicationUserService userService, ICredentialsValidatior credentialsValidatior) { this._userService = userService; _credentialsValidatior = credentialsValidatior; } public override Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context) { context.Validated(); return Task.FromResult<object>(null); } public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { var allowedOrigin = context.OwinContext.Get<string>("as:clientAllowedOrigin"); if (allowedOrigin == null) allowedOrigin = "*"; context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { allowedOrigin }); /* Some user validation logick */ var user = await _userService.FindByNameAsync(context.UserName); ClaimsIdentity oAuthIdentity = await GenerateUserIdentityAsync(user); var ticket = new AuthenticationTicket(oAuthIdentity, null); context.Validated(ticket); } private async Task<ClaimsIdentity> GenerateUserIdentityAsync(ApplicationUser user) { const string authenticationType = "JWT"; var userIdentity = await _userService.CreateIdentityAsync(user, authenticationType); return userIdentity; } } 

The class that is allowed for the AccessTokenFormat property:

  public class CustomJwtFormat : ISecureDataFormat<AuthenticationTicket> { private readonly string _issuer; public CustomJwtFormat(string issuer) { _issuer = issuer; } public string Protect(AuthenticationTicket data) { if (data == null) { throw new ArgumentNullException("data"); } string audienceId = ConfigurationManager.AppSettings["AudienceId"]; string symmetricKeyAsBase64 = ConfigurationManager.AppSettings["AudienceSecret"]; var keyByteArray = TextEncodings.Base64Url.Decode(symmetricKeyAsBase64); var signingKey = new HmacSigningCredentials(keyByteArray); var issued = data.Properties.IssuedUtc; var expires = data.Properties.ExpiresUtc; var token = new JwtSecurityToken(_issuer, audienceId, data.Identity.Claims, issued.Value.UtcDateTime, expires.Value.UtcDateTime, signingKey); var handler = new JwtSecurityTokenHandler(); var jwt = handler.WriteToken(token); return jwt; } public AuthenticationTicket Unprotect(string protectedText) { throw new NotImplementedException(); } } 

This code runs on my local computer and works fine in debug and release mode.

The problem occurs when this code is published to the development server in debug mode.

I found out that switching the AllowInsecureHttp property to false on the local computer results in this error, but the version on the dev server is exactly the same. I checked the IL code and the AllowInsecureHttp property, where set to 1.

UPDATE

I tried adding / bps / part to TokenEndpointPath, but that didn't help.

For an unknown reason, now it does not work even locally. I found out that the project settings are

I tried to find these settings on the dev server, unfortunately, due to the lack of my knowledge about IIS, I did not find anything.

I also tried checking the OWIN pipeline and found out that the URL that goes through the pipeline is the same as in Startup.cs.

I also found this question on StackOverflow.