为了完整起见，我想我会用我的答案更新这个问题.

Just for completeness I thought I'd update this question with my answer.

我最终做的是将 Authorize 和 Token 端点移动到我的 MVC 4 应用程序中，而不是将它们放在 API 本身中.

What I ended up doing was moving the Authorize and Token endpoints into my MVC 4 application rather than having them within the API itself.

通过这种方式，当使用登录用户调用 Authorize 端点(因此存在 ASP.NET FormsAuthentication cookie)时，可以在请求处理命中此代码时获得授权代码:

This way when calling the Authorize endpoint with a logged in user (thus having an ASP.NET FormsAuthentication cookie present) it is possible to get an authorisation code granted when the request processing hits this code:

        // Consider auto-approving if safe to do so.
        if (((OAuth2AuthorizationServer)this.authorizationServer.AuthorizationServerServices).CanBeAutoApproved(pendingRequest))
        {
            var approval = this.authorizationServer.PrepareApproveAuthorizationRequest(pendingRequest, HttpContext.User.Identity.Name);
            return this.authorizationServer.Channel.PrepareResponse(approval).AsActionResult();
        }

获得授权码后，您可以使用 WebServerClient 实例调用令牌端点并调用其 RequestUserAuthorization 方法.

Once you have an authorisation code you can then call into the Token endpoint using a WebServerClient instance and calling its RequestUserAuthorization method.

当此回调时，您可以调用 ProcessUserAuthorization 方法，该方法将返回一个带有您的访问令牌和刷新令牌的 IAuthorizationState 对象.

When this calls back you can then call the ProcessUserAuthorization method which will return an IAuthorizationState object with your access token and refresh token.