protected override Task<HttpResponseMessage> SendAsync( HttpRequestMessage request, CancellationToken cancellationToken) { try { var token = ExtractTokenFromHeader(request); if (token != null) { // var config = new SecurityTokenHandlerConfiguration(); // var t = new SecurityTokenHandlerElementCollection(); var principal = new ClaimsPrincipal(ServiceConfiguration.SecurityTokenHandlers.ValidateToken(token)); // var identities = ServiceConfiguration.SecurityTokenHandlers.ValidateToken(token); // var principal = ClaimsPrincipal.CreateFromIdentities(identities); request.SetUserPrincipal(principal); // request.SetUserPrincipal(principal); Thread.CurrentPrincipal = principal; HttpContext.Current.User = principal; } } catch (Exception ex) { return Task<HttpResponseMessage>.Factory.StartNew(() => { return new HttpResponseMessage(HttpStatusCode.Forbidden); }); //throw new HttpException((int)System.Net.HttpStatusCode.Unauthorized, "The authorization header was invalid"); } return base.SendAsync(request, cancellationToken); }