I developed a Web API that uses token based authentication (using Identity and OWIN).
What I need to do is to identify the user in each request made with the token so that I can provide the data that only belongs to that user.
My idea is to insert / update that user record with the token right after the successfull authentication.
How can I do that?
I mean, how can I grab the token before returning the response to the client?
Or... is there any other way to accomplish that?
You don't need to store the token to identify the user. The user identity is self-contained in the token.
When the resource server gets the request OAuth2.0 middleware (implemented in
Microsoft.Owin.Security.OAuth dll) decrypts the token and set it into the
Identity property (
context.Identity in most of methods). Then you can check for the user identity.
Take into account that the authorisation server and the resource server can be separated and the resource server normally don't have access to the authorisation server database.