public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
        {
            string id;
            long?  userId;
            var    error = string.Empty;

            context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });  //tells browsers whether to expose the response to frontend JavaScript code
            var username = context.UserName;

            //EnforceEncodingInteroperability(ref username);

            //byte[]  userPassword = Convert.FromBase64String(context.Password);
            using (AuthorizationRepository _repo = new AuthorizationRepository())
            {
                var userAuthInfo = _repo.ValidateSession(username);
                id     = userAuthInfo.Id;
                userId = userAuthInfo.UserId;
                if (userId < 0)
                {
                    error = "Invalid username";
                    goto ErrorHandling;
                }

                var incoming = AuthorizationUtils.Hash(context.Password, userAuthInfo.Salt);
                if (!(AuthorizationUtils.SlowEquals(incoming, userAuthInfo.Password)))
                {
                    error = "Invalid username and or password";
                    goto ErrorHandling;
                }
            }

            var identity = new ClaimsIdentity(context.Options.AuthenticationType);

            identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, string.Format("{0}:{1}:{2}", id, username, userId)));
            identity.AddClaim(new Claim(ClaimTypes.Role, "user"));

            context.Validated(identity);
            LogManager.WriteLog(string.Format("{0}/{1}", username, context.Password), JsonConvert.SerializeObject(context.OwinContext.Request.Headers.Values), null, null, "OK", string.Format("{0}:{1}", id, context.UserName)).Forget();
            return;

ErrorHandling:
            context.SetError("invalid_grant", error);
            LogManager.WriteLog(string.Format("{0}/{1}", username, context.Password), JsonConvert.SerializeObject(context.OwinContext.Request.Headers.Values), null, null, "BadRequest", error).Forget();
            return;
        }