How to return a JSON Web Token in a C# WEB API?

Question

I am trying to wrap my ahead around using JWT to secure a WEB API written in C#, but am getting hung up on a few things. From my understanding the flow should be something like this:

1. Client provides username/password to the Web API from some client application (Angular, .NET, Mobile, etc)
2. The Web API validates that the username/password is correct and then generates a JWT (JSON Web Token) that contains the user's roles, information, expiration date, and other relevant information.
3. The JWT is sent back to the client application.
4. The client application hangs on to the JWT and sends it with future requests.

Assuming the above is correct (and please let me know if it is not), I am having trouble understanding the following things.

1. Once the Web API has validated the username/password and created the JWT, how does the JWT get passed back? Do I somehow add it to an HttpResponseMessage object? I can't seem to find a clear answer on this.
2. How should the client application pass the JWT back? Is this in the JSON data, appended to the URL, added to headers?
3. I see plenty of tutorials referencing OWIN and OAUTH. What are these and why do I need them? I am holding the user credentials and roles in the database used by the WEB API.

Answer 1

Once the Web API has validated the username/password and created the JWT, how does the JWT get passed back? Do I somehow add it to an HttpResponseMessage object?

Common practice is on success, the response from the service has the status code 200 OK in the response header, and token related data in the response body

200 OK
Content-Type: application/json;charset=UTF-8

{
    "access_token": "NgCXRK...MzYjw",
    "token_type": "Bearer",
    "expires_at": 1372700873,
    "refresh_token": "NgAagA...Um_SHo"
}

How should the client application pass the JWT back? Is this in the JSON data, appended to the URL, added to headers?

Using the access token to make authenticated requests

Now that you have a token, you can make authenticated requests to the API. This is done by either setting the HTTP Authorization header or query string in the request depending on how the server is configured.

in a header

Authorization: Bearer NgCXRK...MzYjw    

as a parameter

GET http://localhost:35979/v2/endpoint?access_token=NgCXRK...MzYjw

I see plenty of tutorials referencing OWIN and OAUTH. What are these and why do I need them?

OWIN — Open Web Interface for .NET http://owin.org/

OWIN defines a standard interface between .NET web servers and web applications. The goal of the OWIN interface is to decouple server and application, encourage the development of simple modules for .NET web development, and, by being an open standard, stimulate the open source ecosystem of .NET web development tools.

OWIN OAuth 2.0 Authorization Server

The OAuth 2.0 framework enables a third-party app to obtain limited access to an HTTP service. Instead of using the resource owner's credentials to access a protected resource, the client obtains an access token (which is a string denoting a specific scope, lifetime, and other access attributes). Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner.