Only get dynamic claims if `IsDynamicClaimsEnabled`.

modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/AbpOpenIdDictControllerBase.cs

@@ -28,6 +28,7 @@ public abstract class AbpOpenIdDictControllerBase : AbpController
     protected IOpenIddictTokenManager TokenManager => LazyServiceProvider.LazyGetRequiredService<IOpenIddictTokenManager>();
     protected AbpOpenIddictClaimsPrincipalManager OpenIddictClaimsPrincipalManager => LazyServiceProvider.LazyGetRequiredService<AbpOpenIddictClaimsPrincipalManager>();
     protected IAbpClaimsPrincipalFactory AbpClaimsPrincipalFactory => LazyServiceProvider.LazyGetRequiredService<IAbpClaimsPrincipalFactory>();
+    protected IOptions<AbpClaimsPrincipalFactoryOptions> AbpClaimsPrincipalFactoryOptions => LazyServiceProvider.LazyGetRequiredService<IOptions<AbpClaimsPrincipalFactoryOptions>>();
 
     protected AbpOpenIdDictControllerBase()
     {

modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/AuthorizeController.cs

@@ -80,7 +80,22 @@ public class AuthorizeController : AbpOpenIdDictControllerBase
         }
 
         // Retrieve the profile of the logged in user.
-        var dynamicPrincipal = await AbpClaimsPrincipalFactory.CreateDynamicAsync(result.Principal);
+        var dynamicPrincipal = result.Principal;
+        if (AbpClaimsPrincipalFactoryOptions.Value.IsDynamicClaimsEnabled)
+        {
+            dynamicPrincipal = await AbpClaimsPrincipalFactory.CreateDynamicAsync(dynamicPrincipal);
+            if (dynamicPrincipal == null)
+            {
+                return Challenge(
+                    authenticationSchemes: IdentityConstants.ApplicationScheme,
+                    properties: new AuthenticationProperties
+                    {
+                        RedirectUri = Request.PathBase + Request.Path + QueryString.Create(
+                            Request.HasFormContentType ? Request.Form.ToList() : Request.Query.ToList())
+                    });
+            }
+        }
+
         var user = await UserManager.GetUserAsync(dynamicPrincipal);
         if (user == null)
         {

modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/TokenController.AuthorizationCode.cs

@@ -14,7 +14,20 @@ public partial class TokenController
     {
         // Retrieve the claims principal stored in the authorization code/device code/refresh token.
         var principal = (await HttpContext.AuthenticateAsync(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme)).Principal;
-        principal = await AbpClaimsPrincipalFactory.CreateDynamicAsync(principal);
+        if (AbpClaimsPrincipalFactoryOptions.Value.IsDynamicClaimsEnabled)
+        {
+            principal = await AbpClaimsPrincipalFactory.CreateDynamicAsync(principal);
+            if (principal == null)
+            {
+                return Forbid(
+                    authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
+                    properties: new AuthenticationProperties(new Dictionary<string, string>
+                    {
+                        [OpenIddictServerAspNetCoreConstants.Properties.Error] = OpenIddictConstants.Errors.InvalidGrant,
+                        [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "The token is no longer valid."
+                    }));
+            }
+        }
         using (CurrentTenant.Change(principal.FindTenantId()))
         {
             // Retrieve the user profile corresponding to the authorization code/refresh token.

modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/TokenController.DeviceCode.cs

@@ -14,7 +14,20 @@ public partial class TokenController
     {
         // Retrieve the claims principal stored in the authorization code/device code/refresh token.
         var principal = (await HttpContext.AuthenticateAsync(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme)).Principal;
-        principal = await AbpClaimsPrincipalFactory.CreateDynamicAsync(principal);
+        if (AbpClaimsPrincipalFactoryOptions.Value.IsDynamicClaimsEnabled)
+        {
+            principal = await AbpClaimsPrincipalFactory.CreateDynamicAsync(principal);
+            if (principal == null)
+            {
+                return Forbid(
+                    authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
+                    properties: new AuthenticationProperties(new Dictionary<string, string>
+                    {
+                        [OpenIddictServerAspNetCoreConstants.Properties.Error] = OpenIddictConstants.Errors.InvalidGrant,
+                        [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "The token is no longer valid."
+                    }));
+            }
+        }
         using (CurrentTenant.Change(principal.FindTenantId()))
         {
             // Retrieve the user profile corresponding to the authorization code/refresh token.

modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/TokenController.RefreshToken.cs

@@ -14,7 +14,20 @@ public partial class TokenController
     {
         // Retrieve the claims principal stored in the authorization code/device code/refresh token.
         var principal = (await HttpContext.AuthenticateAsync(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme)).Principal;
-        principal = await AbpClaimsPrincipalFactory.CreateDynamicAsync(principal);
+        if (AbpClaimsPrincipalFactoryOptions.Value.IsDynamicClaimsEnabled)
+        {
+            principal = await AbpClaimsPrincipalFactory.CreateDynamicAsync(principal);
+            if (principal == null)
+            {
+                return Forbid(
+                    authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
+                    properties: new AuthenticationProperties(new Dictionary<string, string>
+                    {
+                        [OpenIddictServerAspNetCoreConstants.Properties.Error] = OpenIddictConstants.Errors.InvalidGrant,
+                        [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "The token is no longer valid."
+                    }));
+            }
+        }
         using (CurrentTenant.Change(principal.FindTenantId()))
         {
             // Retrieve the user profile corresponding to the authorization code/refresh token.