I have a web site and web api project that are secured with OAuth2 using a AD B2C instance.
If I use the MS example project, everything works fine with the bearer token flowing down to the web api and being converted into a ClaimsPrincipal.
On my app though, the login and token acquisition works fine but when it arrives at the web api it doesn't get turned into a ClaimsPrincipal so as far as the api is concerned the caller is not authenticated.
Usual staring at the code as put a simpler test case in my project with the same (non)-result.
My question is how I can determine where the process is failing, is there some logging I can turn on or can I step into the OWIN processes etc to find out what it doesn't like?