The following document represents the approach that enables the support for multiple clients to access the API [Mobile , Web etc] by varying the headers that enables the dynamic client identification via Request Headers 

Create a class "CelloTokenHandler" as per the following definition

public class CelloTokenHandler : JwtSecurityTokenHandler

{

 public override ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)

 {

  var headers = System.Web.HttpContext.Current.Request.Headers;

  string clientId = null;

  if (headers.AllKeys.Contains("X-clientid"))

  {

   clientId = headers["X-clientid"];

  }

  if (headers.AllKeys.Contains("x-clientid"))

  {

   clientId = headers["x-clientid"];

  }

  if (headers.AllKeys.Contains("clientid"))

  {

   clientId = headers["clientid"];

  }

  if (!string.IsNullOrEmpty(clientId))

  {

   validationParameters.ValidAudience = string.Format(System.Globalization.CultureInfo.InvariantCulture, "{0}~{1}~{2}", clientId, "Web", "MultiTenantAccess");

  }

  return base.ValidateToken(securityToken, validationParameters, out validatedToken);

 }

}

In the WebApi Project's StartUp.cs file,

Update the "ApiAuthentication" method to inject the above token handler in the request pipeline, by adding the following line

jwtAuthOptions.TokenHandler = new CelloTokenHandler();

after initializtion of the "jwtAuthOptions.Provider" property in the method

Sample Method with the injected handler

private void ApiAuthentication(IAppBuilder app)

{

 var jwtAuthOptions = new Microsoft.Owin.Security.Jwt.JwtBearerAuthenticationOptions();

 jwtAuthOptions.Provider = new OAuthBearerAuthenticationProvider

 {

  OnValidateIdentity = async (ctx) =>

  {

   var claims = ctx.Ticket.Identity.Claims;

   await TransformCelloClaims(ctx, claims);

  },

 };

 jwtAuthOptions.TokenHandler = new CelloTokenHandler();

 jwtAuthOptions.TokenValidationParameters = new TokenValidationParameters

 {

  ValidIssuer = System.Configuration.ConfigurationManager.AppSettings["AuthIssuer"],

  ValidAudiences = new string[] { },

  ValidAudience = string.Format(System.Globalization.CultureInfo.InvariantCulture, "{0}~{1}~{2}",

  "f5a54ffd-f1eb-4366-abd0-867547e92feb", "Web", "MultiTenantAccess"),

  IssuerSigningToken = new X509SecurityToken(CertificateStore.GetCertificate())

 };

 app.MapWhen(req => req.Request.Headers.ContainsKey("Authorization"), apiAuth =>

 {

  apiAuth.UseCelloBasicAuthentication(new CelloSaaS.Security.Options.BasicAuthentication.CelloBasicAuthenticationOptions

  {

   AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie

  });

  apiAuth.UseJwtBearerAuthentication(jwtAuthOptions);

  apiAuth.UseCelloBearerAuthentication(new CelloBearerAuthenticationOptions());

  apiAuth.UseCelloCookieAuthentication(new CelloCookieAuthenticationOptions());

 });

}

In case of any reference that you may require, herewith attached is the sample "startup.cs" file

Update the above and rebuild and deploy the project and then test the same.


Testing 

*********

The following sample is a header setting that can be used to set the headers for the above app

User-Agent: Fiddler

Host: localhost:44300

Authorization: Bearer a.b.c

X-clientid: eab6e011-b1bb-4ab0-934d-ab8cf91ebd2c


The above X-clientid or "x-clientid" or "clientid" can be used to set the header for dynamic client validations. Please use the clientid in lowercase.