I have an existing combined ASP.net MVC and WebAPI website that uses the standard
To answer my own question, in the end I handled this in my
ApplicationUserManager class. I overrode the
FindAsync method and validated the credentials there by calling through to the 3rd party web service. That returned a session token to be used to call other endpoints.
I stored the session token in the user
ClaimIdentity within another overriden method--
CreateIdentityAsync. This session token can then be read out of the bearer token on subsequent WebAPI calls.
This technique works for both WebAPI and Website logins, and can if necessary fall back to the UserManager to valid the user's credentials using EF if the user does not have credentials stored in the 3rd party service.