I essentially have the setup described here: http://blogs.msdn.com/b/martinkearn/archive/2015/03/25/securing-and-working-securely-with-web-api.aspx
The trouble is, if a user's roles are modified after receiving a token, the change is not reflected unless the user logs in again and receives a new token.
In other words, unless the user requests a new token (logs in again), HttpContext.Current.User.IsInRole("ABC") returns true, even though the AspNetUserRoles table shows that user does NOT have that role.
How can I update (or perhaps invalidate?) the token when changes are made to the AspNetUserRoles table?