I'm having a lot of difficulty finding answers to a scenario I have to implement using DotNetOpenAuth and a particular flow I have to deal with.

In the graphic below I am in control of both the MVC site and API. The API is both my Authorisation server and my Resource Server.

Username and Password Flow

The process is fairly obvious in a case where the user has created a local account on my system as I'm dealing with user name and password credetials to log them into the site which I can then pass to my Token endpoint and subequently pass to the HandleTokenRequest of my authorisation server in order to get access tokens and refresh tokens for my client to then start accessing resources.

OpenID Flow

The flow that I'm at a loss with currently is if a user decides to log in to my site using their Google credentials (for example). In this scenario how do I grant them access tokens and refresh tokens from my own authorisation server in my API?

What would I include in the request to my API Token endpoint?

I have written my own API client which inherits from the WebServerClient class that is part of the DotNetOpenAuth library.

I have seen that there is an interface provided for handling tokens called IServiceProviderTokenManager but that appears to be used in OpenID provider scenarios and not in an API client implementation like mine so I'm assuming that I need to write a custom class for storing and retrieving my own API tokens on the client side but would like that confirmed as well?

Its worth mentioning that both the web site and the API have complete access to the same security database but only the API has access to the database where any resources are held.

Just for completeness I thought I'd update this question with my answer.

What I ended up doing was moving the Authorize and Token endpoints into my MVC 4 application rather than having them within the API itself.

This way when calling the Authorize endpoint with a logged in user (thus having an ASP.NET FormsAuthentication cookie present) it is possible to get an authorisation code granted when the request processing hits this code:

        // Consider auto-approving if safe to do so.
        if (((OAuth2AuthorizationServer)this.authorizationServer.AuthorizationServerServices).CanBeAutoApproved(pendingRequest))
        {
            var approval = this.authorizationServer.PrepareApproveAuthorizationRequest(pendingRequest, HttpContext.User.Identity.Name);
            return this.authorizationServer.Channel.PrepareResponse(approval).AsActionResult();
        }

Once you have an authorisation code you can then call into the Token endpoint using a WebServerClient instance and calling its RequestUserAuthorization method.

When this calls back you can then call the ProcessUserAuthorization method which will return an IAuthorizationState object with your access token and refresh token.