From 0c45f2fd2efa3741e1d3bd152e488b8f559bc0df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Fri, 5 Feb 2016 03:33:51 +0100
Subject: [PATCH] React to API changes in
 aspnet-contrib/AspNet.Security.OpenIdConnect.Server

https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/commit/e40483abdd41434f467ef110138585a76b440afd
---
 src/OpenIddict.Core/OpenIddictManager.cs      | 21 +++++++++++++------
 .../OpenIddictProvider.Exchange.cs            | 10 +++++++--
 src/OpenIddict.Mvc/OpenIddictController.cs    |  5 ++++-
 3 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/src/OpenIddict.Core/OpenIddictManager.cs b/src/OpenIddict.Core/OpenIddictManager.cs
index 04dc3c2c..d387f666 100644
--- a/src/OpenIddict.Core/OpenIddictManager.cs
+++ b/src/OpenIddict.Core/OpenIddictManager.cs
@@ -61,7 +61,9 @@ namespace OpenIddict {
                 Options.ClaimsIdentity.UserNameClaimType,
                 Options.ClaimsIdentity.RoleClaimType);
 
-            identity.AddClaim(ClaimTypes.NameIdentifier, await GetUserIdAsync(user), destination: "id_token token");
+            // Note: the name identifier is always included in both identity and
+            // access tokens, even if an explicit destination is not specified.
+            identity.AddClaim(ClaimTypes.NameIdentifier, await GetUserIdAsync(user));
 
             // Resolve the username and the email address associated with the user.
             var username = await GetUserNameAsync(user);
@@ -76,17 +78,23 @@ namespace OpenIddict {
                     throw new InvalidOperationException("The 'email' scope is required.");
                 }
 
-                identity.AddClaim(ClaimTypes.Name, username, destination: "id_token token");
+                identity.AddClaim(ClaimTypes.Name, username,
+                    OpenIdConnectConstants.Destinations.AccessToken,
+                    OpenIdConnectConstants.Destinations.IdentityToken);
             }
 
             // Only add the email address if the "email" scope was granted.
             if (scopes.Contains(OpenIdConnectConstants.Scopes.Email)) {
-                identity.AddClaim(ClaimTypes.Email, email, destination: "id_token token");
+                identity.AddClaim(ClaimTypes.Email, email,
+                    OpenIdConnectConstants.Destinations.AccessToken,
+                    OpenIdConnectConstants.Destinations.IdentityToken);
             }
 
             if (SupportsUserRole && scopes.Contains(OpenIddictConstants.Scopes.Roles)) {
                 foreach (var role in await GetRolesAsync(user)) {
-                    identity.AddClaim(identity.RoleClaimType, role, destination: "id_token token");
+                    identity.AddClaim(identity.RoleClaimType, role,
+                    OpenIdConnectConstants.Destinations.AccessToken,
+                    OpenIdConnectConstants.Destinations.IdentityToken);
                 }
             }
 
@@ -94,8 +102,9 @@ namespace OpenIddict {
                 var identifier = await GetSecurityStampAsync(user);
 
                 if (!string.IsNullOrEmpty(identifier)) {
-                    identity.AddClaim(Options.ClaimsIdentity.SecurityStampClaimType,
-                        identifier, destination: "id_token token");
+                    identity.AddClaim(Options.ClaimsIdentity.SecurityStampClaimType, identifier,
+                        OpenIdConnectConstants.Destinations.AccessToken,
+                        OpenIdConnectConstants.Destinations.IdentityToken);
                 }
             }
 
diff --git a/src/OpenIddict.Core/OpenIddictProvider.Exchange.cs b/src/OpenIddict.Core/OpenIddictProvider.Exchange.cs
index 3288867b..c15115e2 100644
--- a/src/OpenIddict.Core/OpenIddictProvider.Exchange.cs
+++ b/src/OpenIddict.Core/OpenIddictProvider.Exchange.cs
@@ -102,8 +102,14 @@ namespace OpenIddict {
             Debug.Assert(application != null);
 
             var identity = new ClaimsIdentity(context.Options.AuthenticationScheme);
-            identity.AddClaim(ClaimTypes.NameIdentifier, context.ClientId, destination: "id_token token");
-            identity.AddClaim(ClaimTypes.Name, await manager.GetDisplayNameAsync(application), destination: "id_token token");
+
+            // Note: the name identifier is always included in both identity and
+            // access tokens, even if an explicit destination is not specified.
+            identity.AddClaim(ClaimTypes.NameIdentifier, context.ClientId);
+
+            identity.AddClaim(ClaimTypes.Name, await manager.GetDisplayNameAsync(application),
+                OpenIdConnectConstants.Destinations.AccessToken,
+                OpenIdConnectConstants.Destinations.IdentityToken);
 
             // Create a new authentication ticket
             // holding the application identity.
diff --git a/src/OpenIddict.Mvc/OpenIddictController.cs b/src/OpenIddict.Mvc/OpenIddictController.cs
index c337c394..92ca328c 100644
--- a/src/OpenIddict.Mvc/OpenIddictController.cs
+++ b/src/OpenIddict.Mvc/OpenIddictController.cs
@@ -152,7 +152,10 @@ namespace OpenIddict.Mvc {
             // the whole delegation chain from the resource server (see ResourceController.cs).
             identity.Actor = new ClaimsIdentity(Options.AuthenticationScheme);
             identity.Actor.AddClaim(ClaimTypes.NameIdentifier, request.ClientId);
-            identity.Actor.AddClaim(ClaimTypes.Name, await Manager.GetDisplayNameAsync(application), destination: "id_token token");
+
+            identity.Actor.AddClaim(ClaimTypes.Name, await Manager.GetDisplayNameAsync(application),
+                OpenIdConnectConstants.Destinations.AccessToken,
+                OpenIdConnectConstants.Destinations.IdentityToken);
 
             // Create a new authentication ticket holding the user identity.
             var ticket = new AuthenticationTicket(new ClaimsPrincipal(identity), null, Options.AuthenticationScheme);