I have an Asp.net webapi with JWT authentication using OWIN middle ware. My resource server and the authorization server are same. I am able to get the token from the token endpoint. ValidateClientAuthentication and GrantResourceOwnerCredentials methods are hit successfully. However when I try to access a protected(with [Authorize]) api (with authorization header set to bearer token) I only get "Authorization has been denied for this request".

I have overridden ValidateAuthorizeRequest method just to see if it gets hit when the api call is made via Postman. However it is never hit.

I am trying to figure out a way to see if at all OWIN is intercepting calls to the api other than the calls to the token endpoint.

Is there any way or methods to override so that I can debug and see where in the pipeline the request is being rejected and why.

As of now I make the call via Postman and get an unauthorized response.

Any help would be greatly appreciated.

this is difficult to answer without seeing what you've done. I am wondering if you have wired things up correctly. Startup class is where you define your Provider and Token format and then you set your application to use those settings. Here is an example:

public class Startup

    {    
        public void Configuration(IAppBuilder app)    
        {    
            var config = new HttpConfiguration();    
            config.MapHttpAttributeRoutes();    
            ConfigureOAuth(app);    
            app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);    
            app.UseWebApi(config);    
        }        

        public void ConfigureOAuth(IAppBuilder app)    
        {    
            int accessTokenExpiresInSeconds = ConfigurationHelper.GetAppSetting("AccessTokenExpirationInSeconds").ToInt();            
            var oAuthServerOptions = new OAuthAuthorizationServerOptions

            {    
                AllowInsecureHttp = true,

                TokenEndpointPath = new PathString(ConfigurationHelper.GetAppSetting("TokenEndPoint")),

                AccessTokenExpireTimeSpan = TimeSpan.FromSeconds(accessTokenExpiresInSeconds),

                Provider = new CustomOAuthProvider(),

                AccessTokenFormat = new CustomJwtFormat(ConfigurationHelper.GetAppSetting("TokenIssuer"))    
            };        

            app.UseOAuthAuthorizationServer(oAuthServerOptions);    
        }    
    }

If that's not the issue then you can use my own article on OAuth2 and JWT, I've got a full example on how to set everything up and the code is on GitHub. Hopefully it will guide you in the right direction:

https://eidand.com/2015/03/28/authorization-system-with-owin-web-api-json-web-tokens/