public async Task <IHttpActionResult> Login(ViewModels.LoginViewModel model) { //if (!this.ModelState.IsValid) //{ // return this.View(model); //} // This doesn't count login failures towards account lockout // To enable password failures to trigger account lockout, change to shouldLockout: true var result = await this.AppSignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout : false); switch (result) { case SignInStatus.Success: var user = await this.AppUserManager.FindByNameAsync(model.Email); var request = HttpContext.Current.Request; var tokenServiceUrl = request.Url.GetLeftPart(UriPartial.Authority) + request.ApplicationPath + "/Token"; using (var client = new HttpClient()) { var requestParams = new List <KeyValuePair <string, string> > { new KeyValuePair <string, string>("grant_type", "password"), new KeyValuePair <string, string>("username", model.Email), new KeyValuePair <string, string>("password", model.Password) }; var requestParamsFormUrlEncoded = new FormUrlEncodedContent(requestParams); var tokenServiceResponse = await client.PostAsync(tokenServiceUrl, requestParamsFormUrlEncoded); var responseString = await tokenServiceResponse.Content.ReadAsStringAsync(); var responseCode = tokenServiceResponse.StatusCode; var jsSerializer = new System.Web.Script.Serialization.JavaScriptSerializer(); var responseData = jsSerializer.Deserialize <Dictionary <string, string> >(responseString); var authToken = responseData["access_token"]; var userName = responseData["userName"]; // Save bearer token to the database userSessionService.CreateUserSession(userName, authToken); // Cleanup: delete expired sessions from the database userSessionService.DeleteExpiredSessions(); return(Json(new { status = true, token = authToken })); } case SignInStatus.LockedOut: return(Json(new { status = false, error = "Lockout" })); case SignInStatus.RequiresVerification: return(Json(new { status = false, error = "" })); case SignInStatus.Failure: default: this.ModelState.AddModelError("", "Invalid login attempt."); return(Json(new { status = false, error = "Invalid login attempt" })); } }