Spent a good part of my morning troubleshooting why a new Web API project would not accept the authorization token from my authorization server. It had the proper machine key to match the authorization server, and the OWIN pipeline was configured identically to its sister project. After the first frustrating hour I realized it had to be something bonehead simple because the first resource server would accept the token just fine. Then the head slap! The new project was using the latest OWIN middle ware and after upgrading the first resource server it too would no longer accept the token. After upgrading the authorization server to the latest middle ware they both starting working.
Always make sure your Authorization Server and Resource Servers are running the same OWIN middle ware versions. If there is a mismatch it could result in the resource server always return a 401. I am sure this was documented somewhere and I just didn’t see it.