First some background:
You have to store two types of tokens: unauthorized request tokens and access tokens. Unauthorized request tokens
must never be associated with a user account. It usually opens up security attacks to associate request tokens with user accounts. Access tokens should be associated with user accounts, obviously, but only
after you have received them (don't earmark the request token for a particular user account for once the access token arrives).
With that in mind, StoreNewRequestToken is storing the first type of token, so you shouldn't be trying to do what you're doing! (ha ha, I try to make the API "difficult" to misuse).
Now, you're going to get to implementing the ExpireRequestTokenAndStoreNewAccessToken method and ask the same question, so let me get to that right now. Access tokens as I said should be associated with users. You have a couple of options here.
The method I mildly prefer is just to store the access token itself in the table from the ExpireRequestTokenAndStoreNewAccessToken method, not yet associated with a user account. Now this method gets called as a result of
your call to (Web/Desktop)Consumer.ProcessUserAuthorization(...), which itself returns the access token. When this method returns, you're back on your web page, and the web page knows who the user is, so it can then make the association in the database
between user and access token.
Your other option is that since you actually also have the user context available from your ExpireRequestTokenAndStoreNewAccessToken implementation you can actually make the user association there. Just use HttpContext.Current.User to find out who's
logged into your web site and associate the access token.
Hope this helps.