Understanding SPA2013 MVC5 SPA WebAPI Templates

I am trying to understand the security features of VS2013 MVC5 SPA Template WebAPI.

Startup.Auth.cs has this -

TokenEndpointPath = new PathString("/Token")

      

        
        
        
      

    

and this -

AuthorizeEndpointPath = new PathString("/Account/Authorize")

      

        
        
        
      

    

In my understanding, AuthorizeEndPointPath is intended when you are acting as a third party OAuth authorization server.

However, as used in the template the flow seems to be

• Login via Form Authentication
• Redirect to a secure page

• Javascript validates the bearer token in local storage, it doesn't exist, so it redirects to that authorization endpoint.

  window.location = "/ Account / Authorize? client_id = web & response_type = token & state =" + encodeURIComponent (window.location.hash);

• Signing into the app with OAuth protection returns a token that will be passed on subsequent API requests.

The / Token endpoint is never used. A preview of this template made an ajax entry in / Token for login. I have a similar situation where a site is protected with authentication / cookies, but the WebApi is protected by a bearer token.

Is the authorization endpoint used correctly in this SPA template - is it the correct template? It seems that a suitable way to authenticate to secure the bearer token "internally" for the application would be "granting client credentials", although not sure how to generate the "secret".