I just migrated my web app (ASP.NET MVC) to ASP Identity.
Everything works fine after quite some work, except the API which the web app provides. This is a WEB API 2, and it is using the bearer token mechanism to authenticate users. The authentication itself also works fine. but: When a user is locked out, the token for the user is still issued via the API-token-endpoint.
Is there a suggested way to handle this? I did not find any example...
Ok, that was a stupid one... I see clearer now :)
I had it all the time in front of my eyes: The Web-Api2-Template includes a class "ApplicationOAuthProvider". This one allows several places to intercept the pipe... I chose the method "GrantResourceOwnerCredentials" which was already overriden, and there I checked if the user is locked out, directly after the password check.
Sorry, hope it helps someone.