I have three current thoughts on how to do this:
- re-implement AuthenticationService, which uses lots of internal constructors and internal helpers,
- implement custom IIdentity and IPrincipal types and somehow hook these into FormsAuthentication.
- give up and roll my own.
The problem is that we've got web apps and fat client apps using authentication and storing cookies. However, logging out of a web app does not log out of a fat client app, and we have now way of forcing a refreshed cookie, atm.
Found what I needed. Use number 2, implement my own IIdentity, and then implement the FormsAuthentication_OnAuthenticate on Global.asax [1].
[1] http://msdn.microsoft.com/en-us/library/system.web.security.formsauthenticationmodule.aspx