Transformation of token received from OpenID server

Question

I currently have a distributed system containing an OpenID Connect server (IdentityServer3) acting as SSO server. The clients using the SSO server are AngularJS SPA:s with WebAPI v2 backends.

I got the basic login flow working, but I need some help with configuring the WebAPI/OWIN pipeline to allow transformation of the received token claims, ie. removing unnessecary claims and adding local claims. I'm assuming I need to create a local JWT instead of using the JWT received from the SSO server.

The question is, what is the best way of doing this? Are there OWIN middlewares that can help with this, or do I need to "manually" generate a new locally signed JWT from the claims received from the SSO server?

Current implementation details:

1. The AngularJS SPA authenticates against the SSO server using authorization code flow and receives the authorization code.
2. The SPA posts the authorization code to the WebAPI.
3. WebAPI receives the authorization code and requests an AccessToken/JWT from the SSO server using the OAuth2Client class (part of Thinktecture.IdentityModel.Clients). This AccessToken is returned to the SPA to use in any further requests done to the WebAPI.

So my question mostly relates to step 3. How do I best change my current flow to generate a token also containing the local claims?

Also, what kind of authentication middleware should be used with your proposed solution (JwtBearerAuthentication, OpenIdConnectAuthentication or OAuthBearerAuthentication)?

Apoligizes for my probably confused terminology usage, I'm a beginner regarding OAuth and especially the OWIN pipeline. :)

Answer 1

1. Your WebApi should use BearerTokenAuthentication.
2. To get access token (access_token) and claims (id_token) in single call you need to set response type as ResponseType="token id_token"
3. You can checkout various ready to run sample at IdentityServer3 Samples. Specifically checkout implicit flow sample.