When the cookie security stamp is refreshed during a /connect/authorize
request, OpenIddictClaimsPrincipalContributor stamps the ambient request's
client_id onto the principal that is written back to the interactive
authentication cookie. From then on ICurrentClient.Id resolves to that client
for every later cookie-authenticated request, corrupting audit-log client
attribution.
The contributor cannot tell whether the principal it contributes to is destined
for a token (correct) or for the cookie being refreshed (wrong), so strip
client_id at the only point where the cookie is actually re-written: the
security-stamp OnRefreshingPrincipal callback. This never runs for token
issuance, so the token path is untouched, and chaining the removal after the
existing AbpSecurityStampValidatorCallback.UpdatePrincipal lets already-corrupted
cookies self-heal on their next refresh.
Adds Volo.Abp.OpenIddict.AspNetCore.Tests covering the removal and the callback
composition order.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Introduces `IsAvailableAsync()` to `IResourcePermissionManagementProvider` and `IResourcePermissionProviderKeyLookupService`, allowing providers to opt out in certain contexts.
`ResourcePermissionManager` respects this flag in permission checks, writes, and UI lookup service listing.
OpenIddict and IdentityServer client providers override `IsAvailableAsync()` to return `false` when the current context is a tenant (host-only concept).
Introduces an abstract base class for seeding OpenIddict applications and scopes. Provides helper methods for creating or updating OpenIddict applications and scopes, including validation and permission assignment logic.