public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { string id; long? userId; var error = string.Empty; context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" }); //tells browsers whether to expose the response to frontend JavaScript code var username = context.UserName; //EnforceEncodingInteroperability(ref username); //byte[] userPassword = Convert.FromBase64String(context.Password); using (AuthorizationRepository _repo = new AuthorizationRepository()) { var userAuthInfo = _repo.ValidateSession(username); id = userAuthInfo.Id; userId = userAuthInfo.UserId; if (userId < 0) { error = "Invalid username"; goto ErrorHandling; } var incoming = AuthorizationUtils.Hash(context.Password, userAuthInfo.Salt); if (!(AuthorizationUtils.SlowEquals(incoming, userAuthInfo.Password))) { error = "Invalid username and or password"; goto ErrorHandling; } } var identity = new ClaimsIdentity(context.Options.AuthenticationType); identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, string.Format("{0}:{1}:{2}", id, username, userId))); identity.AddClaim(new Claim(ClaimTypes.Role, "user")); context.Validated(identity); LogManager.WriteLog(string.Format("{0}/{1}", username, context.Password), JsonConvert.SerializeObject(context.OwinContext.Request.Headers.Values), null, null, "OK", string.Format("{0}:{1}", id, context.UserName)).Forget(); return; ErrorHandling: context.SetError("invalid_grant", error); LogManager.WriteLog(string.Format("{0}/{1}", username, context.Password), JsonConvert.SerializeObject(context.OwinContext.Request.Headers.Values), null, null, "BadRequest", error).Forget(); return; }