Populate Thread.CurrentPrincipal with Client Identity
The controller plumbing should sync Thread.CurrentPrincipal to HttpRequestMessage.GetUserPrincipal().
T.CP is a well established pattern in .NET (e.g. ASP.NET and WCF) and many code bases use it (e.g. IsInRole or PrincipalPermission). When bringing existing library code to WebAPI you will get inconsistent security behavior if this is not correctly set.