So recently I started looking at using WebAPI2, and well, the documentation on what's really going on here, sucks. My goal here is to allow a user to log-in via OAuth2, pull the access token and the refresh token and handle them safely. This post is really just a place for me to take notes as I dig into this. Firstly, this is none trivial in Microsoft's implementation. After digging into this, I must ask if they even thought about how this would be done. From what I can tell, they are expecting that if you want to get extra information from a provider that you do it in the OnAuthenticated method on the AuthenticationProvider, and then add it to the claim. And if that's all you need, by all means, do that. Step one: Requesting the Token For Google we need the include the access type of offline in our request. It was talked about on the Katana Project at GoogleOAuth2Authentication never really get RefreshToken So given that bit of info we know...