private async Task OnPrincipalCreated(PrincipalCreatedEventArgs args)
        {
            var principal = new SentinelPrincipal(args.Principal);

            // Add name identifier claim to support MVC AntiForgeryToken
            principal.Identity.AddClaim(ClaimTypes.NameIdentifier, principal.Identity.Name);

            // Replace principal to make Sentinel use the new principal for the access token
            args.Principal = principal;
        }
        /// <summary>
        /// Called when a request to the Token endpoint arrives with a "grant_type" of "refresh_token". This occurs if your application has issued a "refresh_token" 
        ///             along with the "access_token", and the client is attempting to use the "refresh_token" to acquire a new "access_token", and possibly a new "refresh_token".
        ///             To issue a refresh token the an Options.RefreshTokenProvider must be assigned to create the value which is returned. The claims and properties 
        ///             associated with the refresh token are present in the context.Ticket. The application must call context.Validated to instruct the 
        ///             Authorization Server middleware to issue an access token based on those claims and properties. The call to context.Validated may 
        ///             be given a different AuthenticationTicket or ClaimsIdentity in order to control which information flows from the refresh token to 
        ///             the access token. The default behavior when using the OAuthAuthorizationServerProvider is to flow information from the refresh token to 
        ///             the access token unmodified.
        ///             See also http://tools.ietf.org/html/rfc6749#section-6
        /// </summary>
        /// <param name="context">The context of the event carries information in and results out.</param>
        /// <returns>
        /// Task to enable asynchronous execution
        /// </returns>
        public override async Task GrantRefreshToken(OAuthGrantRefreshTokenContext context)
        {
            this.options.Logger.Debug("Authenticating refresh token flow");

            var user = new SentinelPrincipal(context.Ticket.Identity);

            // Add grant type claim
            user.Identity.RemoveClaim(x => x.Type == ClaimType.GrantType);
            user.Identity.AddClaim(ClaimType.GrantType, GrantType.RefreshToken);

            // Activate event if subscribed to
            if (this.options.Events.PrincipalCreated != null)
            {
                var args = new PrincipalCreatedEventArgs(user, context);

                await this.options.Events.PrincipalCreated(args);

                user = new SentinelPrincipal(args.Principal);
            }

            context.Validated(user.Identity.AsClaimsIdentity());
        }
        /// <summary>
        /// Called when a request to the Token endpoint arrives with a "grant_type" of "password". This occurs when the user has provided name and password
        /// credentials directly into the client application's user interface, and the client application is using those to acquire an "access_token" and
        /// optional "refresh_token". If the web application supports the
        /// resource owner credentials grant type it must validate the context.Username and context.Password as appropriate. To issue an
        /// access token the context.Validated must be called with a new ticket containing the claims about the resource owner which should be associated
        /// with the access token. The application should take appropriate measures to ensure that the endpoint isn’t abused by malicious callers.
        /// The default behavior is to reject this grant type.
        /// See also http://tools.ietf.org/html/rfc6749#section-4.3.2
        /// </summary>
        /// <param name="context">The context of the event carries information in and results out.</param>
        /// <returns>Task to enable asynchronous execution</returns>
        public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
        {
            this.options.Logger.DebugFormat("Authenticating resource owner flow for user '{0}'", Regex.Escape(context.UserName));

            var user = await this.options.UserManager.AuthenticateUserWithPasswordAsync(context.UserName, context.Password);

            if (!user.Identity.IsAuthenticated)
            {
                context.Rejected();

                this.options.Logger.WarnFormat("User '{0}' was not authenticated", Regex.Escape(context.UserName));

                return;
            }

            // Add oauth claims
            user.Identity.AddClaim(ClaimType.Client, context.ClientId);
            user.Identity.RemoveClaim(x => x.Type == ClaimType.GrantType);
            user.Identity.AddClaim(ClaimType.GrantType, GrantType.Password);

            // Activate event if subscribed to
            if (this.options.Events.PrincipalCreated != null)
            {
                var args = new PrincipalCreatedEventArgs(user, context);

                await this.options.Events.PrincipalCreated(args);

                user = new SentinelPrincipal(args.Principal);
            }

            // Convert to proper authentication type
            var principal = this.options.PrincipalProvider.Create(context.Options.AuthenticationType, user.Identity.Claims.ToArray());

            // Validate ticket
            var ticket = new AuthenticationTicket(principal.Identity.AsClaimsIdentity(), new AuthenticationProperties());

            context.Validated(ticket);

            this.options.Logger.DebugFormat("User '{0}' was successfully authenticated", Regex.Escape(context.UserName));
        }