I have an ASP.NET Web Api 2.0 project with token authentication and everything done mainly following this article:

Token Based Authentication using ASP.NET Web API 2, Owin, and Identity, Bit Of Technology

But I am struggling to understand what exactly this line of code in my Startup.cs does:

app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);

This does not make the Web Api add the Access-Control-Allow-Origin header to my API responses, in other words it does not enable Cors in my Web Api (still trying to understand how to do this by the way). It does not even add it to my bearer token authentication server response. I have to have this code to my OAuthAuthorizationServerProvider:

public override Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
    {
        context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" }); 

to enable Cors on my token provider end point responses.

So what is the use of this Microsoft.Owin.Cors middleware anyway? Because everywhere I read about Web Api 2.0 and Cors this line of code

app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);

comes up:

thanks for following my tutorial.

This LOC app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll); is used to enable CORS for the API itself (Any controller inheriting from ApiController).

But for the Authz server and end point /token this make no affect that is why I've to add context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" }); This end point is not part from the API and doesn't inherit from ApiController class.

Hope this answers your question.