How can I validate Web Api 2 Owin Token send via URL?

Question

TL;DR Version
I have a situation on my Cordova AngularJS App where I need to open a browser and make a request. But I've found out that I can't send headers on this requisition, simply because $window doesn't accept them. But I can send it in URL.
How can I validate the token received via URL on Web API?

Detailed Version

I am building a Cordova App, using AngularJs and ngCordova. On last few days, I tried to download a PDF file and leave it avaliable for the user, so he could read it anytime. But all I could achieve was download it using CordovaFileTransfer on background (without Android download manager) and access it through a File Explorer App (because the file did not appeared on conventional Download Folder/App), which is not good for me (I would be happy to receive any thougths about this).

So I decided to try another aproach. Using CordovaInAppBrowser I managed to successfully download my file, but only without any authorization token, because the plugin does not support any headers.

If I could send the valid token on URL, CordovaInAppBrowser would work just fine. But I have no idea on how to valid it manually on Web Api. I've found those two pages that have info on that, but I failed to understand it to use on my application.

Retrieving bearer tokens from alternative locations in Katana/OWIN
Passing the access token on the URL

Can someone point me on right direction?

Answer 1

Whether you want to extract your token from the headers or from the URL query string, the principle is the same; you need to extract the data from your request to validate the token.

I have used two approaches, depending on where exactly do you want to do this.

First approach would be to create a custom attribute by overriding AuthorizeAttribute or even plain ActionFilterAttribute. There are ton of resources about this topic out there, but you can find some info here and here. This approach works great if you don't want to do this on all your API methods and API controllers. You just simply put your custom attribute where you want it.

Second approach would be to create a custom OWIN middleware. Here and here you can find great resources on how to do this. This approach is more centralized as all of your API calls would go through it.