From 27179a007cd92fe1d58024f1c06d3329f9e4e26c Mon Sep 17 00:00:00 2001
From: maliming <malimings@gmail.com>
Date: Fri, 9 Jan 2026 20:52:47 +0800
Subject: [PATCH] Support dynamic client credentials in token introspection

```cs
AddAbpOpenIdConnect("oidc", options =>
{
    //...
    options.ClientId = configuration["AuthServer:ClientId"];
    options.ClientSecret = configuration["AuthServer:ClientSecret"];
    options.UsePkce = true;
    //...

    options.Events.OnTokenResponseReceived = ctx =>
    {
        ctx.Properties?.SetString("client_id", configuration["AuthServer:ClientId"]);
        ctx.Properties?.SetString("client_secret", configuration["AuthServer:ClientSecret"]);
        return Task.CompletedTask;
    };
});
```
---
 .../CookieAuthenticationOptionsExtensions.cs             | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/framework/src/Volo.Abp.AspNetCore/Microsoft/Extensions/DependencyInjection/CookieAuthenticationOptionsExtensions.cs b/framework/src/Volo.Abp.AspNetCore/Microsoft/Extensions/DependencyInjection/CookieAuthenticationOptionsExtensions.cs
index c37e75ef32..8f78e3292a 100644
--- a/framework/src/Volo.Abp.AspNetCore/Microsoft/Extensions/DependencyInjection/CookieAuthenticationOptionsExtensions.cs
+++ b/framework/src/Volo.Abp.AspNetCore/Microsoft/Extensions/DependencyInjection/CookieAuthenticationOptionsExtensions.cs
@@ -46,11 +46,14 @@ public static class CookieAuthenticationOptionsExtensions
                 {
                     var openIdConnectOptions = await GetOpenIdConnectOptions(principalContext, oidcAuthenticationScheme);
 
+                    var clientId = principalContext.Properties.GetString("client_id");
+                    var clientSecret = principalContext.Properties.GetString("client_secret");
+
                     var response = await openIdConnectOptions.Backchannel.IntrospectTokenAsync(new TokenIntrospectionRequest
                     {
                         Address = openIdConnectOptions.Configuration?.IntrospectionEndpoint ?? openIdConnectOptions.Authority!.EnsureEndsWith('/') + "connect/introspect",
-                        ClientId = openIdConnectOptions.ClientId!,
-                        ClientSecret = openIdConnectOptions.ClientSecret,
+                        ClientId = clientId ?? openIdConnectOptions.ClientId!,
+                        ClientSecret = clientSecret ?? openIdConnectOptions.ClientSecret,
                         Token = accessToken
                     });
 
@@ -82,7 +85,7 @@ public static class CookieAuthenticationOptionsExtensions
         return options;
     }
 
-    private async static Task<OpenIdConnectOptions> GetOpenIdConnectOptions(CookieValidatePrincipalContext principalContext, string oidcAuthenticationScheme)
+    private static async Task<OpenIdConnectOptions> GetOpenIdConnectOptions(CookieValidatePrincipalContext principalContext, string oidcAuthenticationScheme)
     {
         var openIdConnectOptions = principalContext.HttpContext.RequestServices.GetRequiredService<IOptionsMonitor<OpenIdConnectOptions>>().Get(oidcAuthenticationScheme);
         var cancellationTokenProvider = principalContext.HttpContext.RequestServices.GetRequiredService<ICancellationTokenProvider>();