private bool ValidateRequest(HttpRequest request, out OAuthError error) { error = null; string accessToken = OAuthHelper.ExtractAcessTokenFromAuthenticateHeader(request); if (!string.IsNullOrEmpty(accessToken)) { string xmlToken = string.Format("<stringToken>{0}</stringToken>", HttpUtility.HtmlEncode(accessToken)); SecurityToken token = null; using (var stringReader = new StringReader(xmlToken)) { var reader = XmlReader.Create(stringReader); if (!this.ServiceConfiguration.SecurityTokenHandlers.CanReadToken(reader)) { error = new OAuthError { Error = OAuthErrorCodes.InvalidRequest, ErrorDescription = string.Format("Cannot read token. If you are using SWT, make sure to configure SimpleWebTokenHandler. Token: {0}", accessToken) }; } token = this.ServiceConfiguration.SecurityTokenHandlers.ReadToken(reader); } var identities = this.ServiceConfiguration.SecurityTokenHandlers.ValidateToken(token); IClaimsPrincipal principal = ServiceConfiguration.ClaimsAuthenticationManager.Authenticate( HttpContext.Current.Request.Url.AbsoluteUri, new ClaimsPrincipal(identities)); HttpContext.Current.User = principal; Thread.CurrentPrincipal = principal; bool access = ServiceConfiguration.ClaimsAuthorizationManager.CheckAccess(new AuthorizationContext(Thread.CurrentPrincipal as IClaimsPrincipal, request.Url.AbsoluteUri, request.HttpMethod)); if (!access) { error = new OAuthError { Error = OAuthErrorCodes.UnauthorizedClient, ErrorDescription = "Unauthorized" }; } return(access); } error = new OAuthError { Error = OAuthErrorCodes.UnauthorizedClient, ErrorDescription = "Unauthorized" }; return(false); }