I'm using the following OAuth provider and options:

    UserManagerFactory = () => new UserManager<IdentityUser>(new UserStore<IdentityUser>(new ApplicationDbContext()));
    OAuthOptions = new OAuthAuthorizationServerOptions
    {
        TokenEndpointPath = new PathString("/Token"),
        Provider = new ApplicationOAuthProvider(PublicClientId, UserManagerFactory),
        AuthorizeEndpointPath = new PathString("/api/AccountOwin/ExternalLogin"),
        AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(2),
        AllowInsecureHttp = true
    };
            app.UseCookieAuthentication(new CookieAuthenticationOptions());
            app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

            // Enable the application to use bearer tokens to authenticate users
            app.UseOAuthBearerTokens(OAuthOptions);

The Oauth Provider class comes from the below link: https://github.com/gustavo-armenta/BearerTokenAuthenticationSample/blob/master/BearerTokenAuthenticationSample/Providers/ApplicationOAuthProvider.cs

I want to implement Refresh token provider and because of this I set the expiration time to 2 minutes. But I noticed that the WEB API alows the acces to the resources even after 2 minutes.

Thanks in advance!

I had this problem because I'd forgotten to configure WebAPI correctly. Adding the following code into my WebApiConfig Register() method solved it.

// Web API configuration and services
// Configure Web API to use only bearer token authentication.
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));

I found this in the sample I used and it's also mentioned in this post.

We had the same problem. In our case it turned out to be that the authentication server was built with web api 2.0 and the resource server was web api 2.2. We built the authentication server first. Then built the resource server. By the time we built the resource server and added the Nuget packages, we got web api 2.2. Upgrading the packages to the new versions on the authentication server and redeploying solved our problem.