public async Task ReceiveAsync(AuthenticationTokenReceiveContext context) { /* * We need to set this header in this method because the method “GrantResourceOwnerCredentials” * where we set this header is never get executed once we request access token using refresh * tokens (grant_type=refresh_token). */ var allowedOrigin = context.OwinContext.Get <string>("as:clientAllowedOrigin"); context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { allowedOrigin }); /* * We get the refresh token id from the request, then hash this id and look for this token * using the hashed refresh token id in table “RefreshTokens”, if the refresh token is found, * we will use the magical signed string which contains a serialized representation for the * ticket to build the ticket and identities for the user mapped to this refresh token. */ string hashedTokenId = Core.Utility.Authentication.AuthHelper.GetHash(context.Token); WebApiService service = new WebApiService(); var refreshToken = await service.FindRefreshToken(hashedTokenId); if (refreshToken != null) { //Get protectedTicket from refreshToken class context.DeserializeTicket(refreshToken.ProtectedTicket); /* * We’ll remove the existing refresh token from tables “RefreshTokens” * because in our logic we are allowing only one refresh token per user and client. */ await service.RemoveRefreshToken(hashedTokenId); } }