API keys in addition to OAuth OWIN / Web Api

I have an interesting script I'm looking for to get some guidance.

Currently I have implemented OAuth using standard OWIN features with Web API and ASP.NET Identity. The Client Credentials functionality has also been successfully implemented, which allows clients (for example, browsers and iPhones) to access the API for anonymous mode of operation until the RO is logged in.

We now have a scenario where we want to build a javascript (JSONP) widget similar to the Stripe Checkout widget ( https://stripe.com/docs/checkout ). As you will see, this widget can be easily implemented by providing a simple data key attribute as part of the script tag. My guess is that it is generated in the background as a simple API key, but in addition to the list of registered domains from which it can be called. When this key is passed to the API, the api checks it against the domain from which the request was made to ensure that the API can access the necessary resources provided by the key.

My questions are: 1. How can I implement an API key in addition to the OAuth token tokens in the OWIN pipeline? All the documentation I see usually suggests writing a separate delegate handler for looking up keys and so on, but could my OWIN pipeline make it this far because invoking the action itself is not allowed? 2. We also explicitly remove any other non-OAuth authentication in the following lines of code:

   config.SuppressDefaultHostAuthentication();
   config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));

      

        
        
        
      

    

3. Is there an easier way to validate clients with only client id (no secrets) for javascript modes, since keeping secrets is nearly impossible in js environments?

4. Am I missing something obvious, what could I have done to make this process easier?

I guess we've figured out everything in terms of creating a JSONP widget, but this part left me a little confused.

Any help would be much appreciated!

Cheerz, Anup