I'm using Web API 2 and OWIN. I'm using Bearer tokens from Identity Server 3.
When I call a GET action passing a valid access token, in the constructor, the IPrincipal (this.User) is not yet authenticated and is of type WindowsPrincipal. He's authenticated fine in the Action, just not the constructor. I've read that the principal isn't set until Init is called, which is fine, but the next point confused me.
When I call a POST action passing a valid access token, in the constructor, the IPrincipal (this.User) is authenticated and is of type ClaimsPrincipal.
What is the reason for this? I'm not using anything custom as middleware- everything is out of the box as it gets with IdSrv, OWIN, and Web API.
Thanks, Tom