I am building a SPA app using WebAPI 2 backend. I am using the new ASP.NET Identity 2.0 for authorization and authentication. To login I call the /Token URL which returns the token which I use for subsequent API calls. Now all this works fine.
Now I need to make some changes to the login/authentication process where I want to check if email is confirmed and also the user is active (both DB fields) before returning the token. But I am unable to find which method is being called for authorization. I thought it was the GetExternalLogin method in AccountController but it does not seem to be so.
Can someone tell me where I need to change the login logic?
You will need to implement your own UserStore to implement your own authentication logic.
Refer This SO question
If you don't want to do that may be, in ApplicationOAuthProvider.cs find this function GrantResourceOwnerCredentials. After this line
IdentityUser user = await userManager.FindAsync(context.UserName,
context.Password);
you may be able to squeeze in some custom logic like
if (IsEmailConfirmed(user) == false)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}