/// <summary>
        /// Method that is called by the OIDC middleware after the authentication data has been validated.  This is where most of the sign up
        /// and sign in work is done.
        /// </summary>
        /// <param name="context">An OIDC-supplied <see cref="Microsoft.AspNetCore.Authentication.OpenIdConnect.AuthenticationValidatedContext"/> containing the current authentication information.</param>
        /// <returns>a completed <see cref="System.Threading.Tasks.Task"/></returns>
        public override async Task TokenValidated(TokenValidatedContext context)
        {
            var principal     = context.Ticket.Principal;
            var userId        = principal.GetObjectIdentifierValue();
            var tenantManager = context.HttpContext.RequestServices.GetService <TenantManager>();
            var userManager   = context.HttpContext.RequestServices.GetService <UserManager>();
            var issuerValue   = principal.GetIssuerValue();

            _logger.AuthenticationValidated(userId, issuerValue);

            // Normalize the claims first.
            NormalizeClaims(principal);
            var tenant = await tenantManager.FindByIssuerValueAsync(issuerValue)
                         .ConfigureAwait(false);

            if (context.IsSigningUp())
            {
                // Originally, we were checking to see if the tenant was non-null, however, this would not allow
                // permission changes to the application in AAD since a re-consent may be required.  Now we just don't
                // try to recreate the tenant.
                if (tenant == null)
                {
                    tenant = await SignUpTenantAsync(context, tenantManager)
                             .ConfigureAwait(false);
                }

                // In this case, we need to go ahead and set up the user signing us up.
                await CreateOrUpdateUserAsync(context.Ticket, userManager, tenant)
                .ConfigureAwait(false);
            }
            else
            {
                if (tenant == null)
                {
                    _logger.UnregisteredUserSignInAttempted(userId, issuerValue);
#if NET451
                    throw new SecurityTokenValidationException($"Tenant {issuerValue} is not registered");
#else
                    throw new SecurityException($"Tenant {issuerValue} is not registered");
#endif
                }

                await CreateOrUpdateUserAsync(context.Ticket, userManager, tenant)
                .ConfigureAwait(false);
            }
        }