/// <summary>
        /// For AuthenticationMode = Passive, this gets invoked first when any request comes in.
        /// The idea is to filter out all requests except the ones that contain our configured
        /// CallbackPath path names (i.e. /third-party) in the incoming URL Request.
        /// This should get invoked by the 3rd party STS when the user is successfully authenticated.
        /// </summary>
        public override async Task <bool> InvokeAsync()
            if (!Options.CallbackPath.HasValue || Options.CallbackPath != Request.Path)

            AuthenticationTicket model = await AuthenticateAsync();

            if (model == null)
                _logger.WriteWarning("Invalid return state, unable to redirect.");
                base.Response.StatusCode = 500;

            var context = new ThirdPartyReturnEndpointContext(base.Context, model)
                SignInAsAuthenticationType = base.Options.SignInAsAuthenticationType,
                RedirectUri = model.Properties.RedirectUri

            model.Properties.RedirectUri = null;
            await base.Options.Provider.ReturnEndpoint(context);

            if (context.SignInAsAuthenticationType != null && context.Identity != null)
                ClaimsIdentity claimsIdentity = context.Identity;
                if (!string.Equals(claimsIdentity.AuthenticationType, context.SignInAsAuthenticationType, StringComparison.Ordinal))
                    claimsIdentity = new ClaimsIdentity(claimsIdentity.Claims, context.SignInAsAuthenticationType, claimsIdentity.NameClaimType, claimsIdentity.RoleClaimType);
                base.Context.Authentication.SignIn(context.Properties, claimsIdentity);
            if (!context.IsRequestCompleted && context.RedirectUri != null)
                if (context.Identity == null)
                    context.RedirectUri = WebUtilities.AddQueryString(context.RedirectUri, "error", "access_denied");