Introduce the first bits of the OpenIddict client

OpenIddict.sln

@@ -11,9 +11,9 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "test", "test", "{5FC71D6A-A
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "OpenIddict", "src\OpenIddict\OpenIddict.csproj", "{80A8D6CE-C29A-4602-9844-D51FEF9C33C8}"
 EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Mvc.Client", "sandbox\Mvc.Client\Mvc.Client.csproj", "{96B22EB9-771A-4DCA-B828-E6EA2774CF1B}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "OpenIddict.Sandbox.AspNetCore.Client", "sandbox\OpenIddict.Sandbox.AspNetCore.Client\OpenIddict.Sandbox.AspNetCore.Client.csproj", "{96B22EB9-771A-4DCA-B828-E6EA2774CF1B}"
 EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Mvc.Server", "sandbox\Mvc.Server\Mvc.Server.csproj", "{7CBEAFD2-E3D0-4424-9B78-E87AB52327A6}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "OpenIddict.Sandbox.AspNetCore.Server", "sandbox\OpenIddict.Sandbox.AspNetCore.Server\OpenIddict.Sandbox.AspNetCore.Server.csproj", "{7CBEAFD2-E3D0-4424-9B78-E87AB52327A6}"
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "OpenIddict.EntityFrameworkCore", "src\OpenIddict.EntityFrameworkCore\OpenIddict.EntityFrameworkCore.csproj", "{D2450929-ED0E-420D-B475-327924F9701C}"
 EndProject
@@ -111,6 +111,12 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "OpenIddict.Quartz", "src\Op
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "OpenIddict.Quartz.Tests", "test\OpenIddict.Quartz.Tests\OpenIddict.Quartz.Tests.csproj", "{01420929-33B8-4B60-A618-8C8B5F139630}"
 EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "OpenIddict.Client", "src\OpenIddict.Client\OpenIddict.Client.csproj", "{A5654E58-18D3-4148-B210-F4637AD57D48}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "OpenIddict.Client.AspNetCore", "src\OpenIddict.Client.AspNetCore\OpenIddict.Client.AspNetCore.csproj", "{C92FB132-96A7-47C5-BBC2-0FC3EF4E0205}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "OpenIddict.Client.SystemNetHttp", "src\OpenIddict.Client.SystemNetHttp\OpenIddict.Client.SystemNetHttp.csproj", "{00E19194-427A-42BC-BC72-519CF9C2B7D1}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -257,6 +263,18 @@ Global
 		{01420929-33B8-4B60-A618-8C8B5F139630}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{01420929-33B8-4B60-A618-8C8B5F139630}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{01420929-33B8-4B60-A618-8C8B5F139630}.Release|Any CPU.Build.0 = Release|Any CPU
+		{A5654E58-18D3-4148-B210-F4637AD57D48}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{A5654E58-18D3-4148-B210-F4637AD57D48}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{A5654E58-18D3-4148-B210-F4637AD57D48}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{A5654E58-18D3-4148-B210-F4637AD57D48}.Release|Any CPU.Build.0 = Release|Any CPU
+		{C92FB132-96A7-47C5-BBC2-0FC3EF4E0205}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{C92FB132-96A7-47C5-BBC2-0FC3EF4E0205}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{C92FB132-96A7-47C5-BBC2-0FC3EF4E0205}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{C92FB132-96A7-47C5-BBC2-0FC3EF4E0205}.Release|Any CPU.Build.0 = Release|Any CPU
+		{00E19194-427A-42BC-BC72-519CF9C2B7D1}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{00E19194-427A-42BC-BC72-519CF9C2B7D1}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{00E19194-427A-42BC-BC72-519CF9C2B7D1}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{00E19194-427A-42BC-BC72-519CF9C2B7D1}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -297,6 +315,9 @@ Global
 		{D94B10D3-3DD3-4829-B305-17C48833AB33} = {5FC71D6A-A994-4F62-977F-88A7D25379D7}
 		{FD150A90-1997-45C7-9EBE-7C6E62E464E8} = {D544447C-D701-46BB-9A5B-C76C612A596B}
 		{01420929-33B8-4B60-A618-8C8B5F139630} = {5FC71D6A-A994-4F62-977F-88A7D25379D7}
+		{A5654E58-18D3-4148-B210-F4637AD57D48} = {D544447C-D701-46BB-9A5B-C76C612A596B}
+		{C92FB132-96A7-47C5-BBC2-0FC3EF4E0205} = {D544447C-D701-46BB-9A5B-C76C612A596B}
+		{00E19194-427A-42BC-BC72-519CF9C2B7D1} = {D544447C-D701-46BB-9A5B-C76C612A596B}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {A710059F-0466-4D48-9B3A-0EF4F840B616}

Packages.props

@@ -5,8 +5,9 @@
     <PackageReference Update="EntityFramework" Version="6.4.4" />
     <PackageReference Update="MartinCostello.Logging.XUnit" Version="0.1.0" />
     <PackageReference Update="Microsoft.Bcl.HashCode" Version="1.1.1" />
-    <PackageReference Update="Microsoft.IdentityModel.JsonWebTokens" Version="6.14.1" />
-    <PackageReference Update="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.14.1" />
+    <PackageReference Update="Microsoft.IdentityModel.JsonWebTokens" Version="6.16.0" />
+    <PackageReference Update="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.16.0" />
+    <PackageReference Update="Microsoft.IdentityModel.Tokens" Version="6.16.0" />
     <PackageReference Update="Microsoft.NETFramework.ReferenceAssemblies" Version="1.0.0" />
     <PackageReference Update="Microsoft.Owin.Security" Version="4.2.0" />
     <PackageReference Update="Microsoft.Owin.Testing" Version="4.2.0" />

sandbox/Mvc.Client/Controllers/AuthenticationController.cs

@@ -1,26 +0,0 @@
-using Microsoft.AspNetCore.Authentication;
-using Microsoft.AspNetCore.Authentication.Cookies;
-using Microsoft.AspNetCore.Authentication.OpenIdConnect;
-using Microsoft.AspNetCore.Mvc;
-
-namespace Mvc.Client.Controllers;
-
-public class AuthenticationController : Controller
-{
-    [HttpGet("~/login")]
-    public ActionResult LogIn()
-    {
-        // Instruct the OIDC client middleware to redirect the user agent to the identity provider.
-        // Note: the authenticationType parameter must match the value configured in Startup.cs
-        return Challenge(new AuthenticationProperties { RedirectUri = "/" }, OpenIdConnectDefaults.AuthenticationScheme);
-    }
-
-    [HttpGet("~/logout"), HttpPost("~/logout")]
-    public ActionResult LogOut()
-    {
-        // Instruct the cookies middleware to delete the local cookie created when the user agent
-        // is redirected from the identity provider after a successful authorization flow and
-        // to redirect the user agent to the identity provider to sign out.
-        return SignOut(CookieAuthenticationDefaults.AuthenticationScheme, OpenIdConnectDefaults.AuthenticationScheme);
-    }
-}

sandbox/Mvc.Client/Startup.cs

@@ -1,79 +0,0 @@
-using Microsoft.AspNetCore.Authentication.Cookies;
-using Microsoft.AspNetCore.Authentication.OpenIdConnect;
-using Microsoft.IdentityModel.Protocols.OpenIdConnect;
-
-namespace Mvc.Client;
-
-public class Startup
-{
-    public void ConfigureServices(IServiceCollection services)
-    {
-        services.AddAuthentication(options =>
-        {
-            options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
-        })
-
-        .AddCookie(options =>
-        {
-            options.LoginPath = "/login";
-            options.ExpireTimeSpan = TimeSpan.FromMinutes(50);
-            options.SlidingExpiration = false;
-        })
-
-        .AddOpenIdConnect(options =>
-        {
-            // Note: these settings must match the application details
-            // inserted in the database at the server level.
-            options.ClientId = "mvc";
-            options.ClientSecret = "901564A5-E7FE-42CB-B10D-61EF6A8F3654";
-
-            options.RequireHttpsMetadata = false;
-            options.GetClaimsFromUserInfoEndpoint = true;
-            options.SaveTokens = true;
-
-            // Use the authorization code flow.
-            options.ResponseType = OpenIdConnectResponseType.Code;
-            options.AuthenticationMethod = OpenIdConnectRedirectBehavior.RedirectGet;
-
-            // Note: setting the Authority allows the OIDC client middleware to automatically
-            // retrieve the identity provider's configuration and spare you from setting
-            // the different endpoints URIs or the token validation parameters explicitly.
-            options.Authority = "https://localhost:44395/";
-
-            options.Scope.Add("email");
-            options.Scope.Add("roles");
-            options.Scope.Add("offline_access");
-            options.Scope.Add("demo_api");
-
-            // Disable the built-in JWT claims mapping feature.
-            options.MapInboundClaims = false;
-
-            options.TokenValidationParameters.NameClaimType = "name";
-            options.TokenValidationParameters.RoleClaimType = "role";
-
-            options.AccessDeniedPath = "/";
-        });
-
-        services.AddHttpClient();
-
-        services.AddControllersWithViews();
-    }
-
-    public void Configure(IApplicationBuilder app)
-    {
-        app.UseDeveloperExceptionPage();
-
-        app.UseStaticFiles();
-
-        app.UseRouting();
-
-        app.UseAuthentication();
-        app.UseAuthorization();
-
-        app.UseEndpoints(options =>
-        {
-            options.MapControllers();
-            options.MapDefaultControllerRoute();
-        });
-    }
-}

sandbox/Mvc.Server/Views/_ViewImports.cshtml

@@ -1,8 +0,0 @@
-@using Mvc.Server
-@using Mvc.Server.Models
-@using Mvc.Server.ViewModels.Account
-@using Mvc.Server.ViewModels.Authorization
-@using Mvc.Server.ViewModels.Manage
-@using Mvc.Server.ViewModels.Shared
-@using Microsoft.AspNetCore.Identity
-@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers

sandbox/OpenIddict.Sandbox.AspNetCore.Client/Controllers/AuthenticationController.cs

@@ -0,0 +1,139 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Mvc;
+using OpenIddict.Client.AspNetCore;
+using static OpenIddict.Abstractions.OpenIddictConstants;
+
+namespace OpenIddict.Sandbox.AspNetCore.Client.Controllers;
+
+public class AuthenticationController : Controller
+{
+    [HttpGet("~/login")]
+    public ActionResult LogIn(string returnUrl)
+    {
+        var properties = new AuthenticationProperties(new Dictionary<string, string>
+        {
+            // Note: when only one client is registered in the client options,
+            // setting the issuer property is not required and can be omitted.
+            [OpenIddictClientAspNetCoreConstants.Properties.Issuer] = "https://localhost:44395/"
+        })
+        {
+            // Only allow local return URLs to prevent open redirect attacks.
+            RedirectUri = Url.IsLocalUrl(returnUrl) ? returnUrl : "/"
+        };
+
+        // Ask the OpenIddict client middleware to redirect the user agent to the identity provider.
+        return Challenge(properties, OpenIddictClientAspNetCoreDefaults.AuthenticationScheme);
+    }
+
+    [HttpGet("~/signin-oidc"), HttpPost("~/signin-oidc")]
+    public async Task<ActionResult> Callback()
+    {
+        // Retrieve the authorization data validated by OpenIddict as part of the callback handling.
+        var result = await HttpContext.AuthenticateAsync(OpenIddictClientAspNetCoreDefaults.AuthenticationScheme);
+
+        // Multiple strategies exist to handle OAuth 2.0/OpenID Connect callbacks, each with their pros and cons:
+        //
+        //   * Directly using the tokens to perform the necessary action(s) on behalf of the user, which is suitable
+        //     for applications that don't need a long-term access to the user's resources or don't want to store
+        //     access/refresh tokens in a database or in an authentication cookie (which has security implications).
+        //     It is also suitable for applications that don't need to authenticate users but only need to perform
+        //     action(s) on their behalf by making API calls using the access tokens returned by the remote server.
+        //
+        //   * Storing the external claims/tokens in a database (and optionally keeping the essentials claims in an
+        //     authentication cookie so that cookie size limits are not hit). For the applications that use ASP.NET
+        //     Core Identity, the UserManager.SetAuthenticationTokenAsync() API can be used to store external tokens.
+        //
+        //     Note: in this case, it's recommended to use column encryption to protect the tokens in the database.
+        //
+        //   * Storing the external claims/tokens in an authentication cookie, which doesn't require having
+        //     a user database but may be affected by the cookie size limits enforced by most browser vendors
+        //     (e.g Safari for macOS and Safari for iOS/iPadOS enforce a per-domain 4KB limit for all cookies).
+        //
+        //     Note: this is the approach used here, but the external claims are first filtered to only persist
+        //     a few claims like the user identifier. The same approach is used to store the access/refresh tokens.
+
+        // Important: if the remote server doesn't support OpenID Connect and doesn't expose a userinfo endpoint,
+        // result.Principal.Identity will represent an unauthenticated identity and won't contain any claim.
+        //
+        // Such identities cannot be used as-is to build an authentication cookie in ASP.NET Core (as the
+        // antiforgery stack requires at least a name claim to bind CSRF cookies to the user's identity) but
+        // the access/refresh tokens can be retrieved using result.Properties.GetTokens() to make API calls.
+        if (result.Principal.Identity is not ClaimsIdentity { IsAuthenticated: true })
+        {
+            throw new InvalidOperationException("The external authorization data cannot be used for authentication.");
+        }
+
+        // Build an identity based on the external claims and that will be used to create the authentication cookie.
+        //
+        // By default, all claims extracted during the authorization dance are available. The claims collection stored
+        // in the cookie can be filtered out or mapped to different names depending the claim name or its issuer.
+        var claims = result.Principal.Claims
+            .Select(claim => claim switch
+            {
+                // Applications can map non-standard claims issued by specific issuers to a standard equivalent.
+                { Type: "non_standard_user_id", Issuer: "https://example.com/" }
+                    => new Claim(Claims.Subject, claim.Value, claim.ValueType, claim.Issuer),
+
+                _ => claim
+            })
+            .Where(claim => claim switch
+            {
+                // Preserve the "name" and "sub" claims.
+                { Type: Claims.Name or Claims.Subject } => true,
+
+                // Applications that use multiple client registrations can filter claims based on the issuer.
+                { Type: "custom_claim", Issuer: "https://example.com/" } => true,
+
+                // Don't preserve the other claims.
+                _ => false
+            });
+
+        var identity = new ClaimsIdentity(claims,
+            authenticationType: CookieAuthenticationDefaults.AuthenticationScheme,
+            nameType: Claims.Name,
+            roleType: Claims.Role);
+
+        // If needed, the tokens returned by the authorization server can be stored in the authentication cookie.
+        // To make cookies less heavy, tokens that are not used can be filtered out before creating the cookie.
+        var tokens = result.Properties.GetTokens().Where(token => token switch
+        {
+            // Preserve the access and refresh tokens returned in the token response, if available.
+            {
+                Name: OpenIddictClientAspNetCoreConstants.Tokens.BackchannelAccessToken or
+                      OpenIddictClientAspNetCoreConstants.Tokens.BackchannelRefreshToken
+            } => true,
+
+            // Ignore the other tokens.
+            _ => false
+        });
+
+        var properties = new AuthenticationProperties
+        {
+            RedirectUri = result.Properties.RedirectUri
+        };
+
+        properties.StoreTokens(tokens);
+
+        // Note: "return SignIn(...)" cannot be directly used in this case, as the cookies handler doesn't allow
+        // redirecting from an endpoint that doesn't match the path set in CookieAuthenticationOptions.LoginPath.
+        // For more information about this restriction, visit https://github.com/dotnet/aspnetcore/issues/36934.
+        await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(identity), properties);
+
+        return Redirect(properties.RedirectUri ?? "/");
+    }
+
+    [HttpGet("~/logout"), HttpPost("~/logout")]
+    public ActionResult LogOut()
+    {
+        // Ask the cookies middleware to delete the local cookie created when the user agent
+        // is redirected from the identity provider after a successful authorization flow.
+        var properties = new AuthenticationProperties
+        {
+            RedirectUri = "/"
+        };
+
+        return SignOut(properties, CookieAuthenticationDefaults.AuthenticationScheme);
+    }
+}

sandbox/OpenIddict.Sandbox.AspNetCore.Client/Controllers/ErrorController.cs

@@ -0,0 +1,32 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+ * See https://github.com/openiddict/openiddict-core for more information concerning
+ * the license and the contributors participating to this project.
+ */
+
+using Microsoft.AspNetCore;
+using Microsoft.AspNetCore.Mvc;
+using OpenIddict.Sandbox.AspNetCore.Client.ViewModels.Shared;
+
+namespace OpenIddict.Sandbox.AspNetCore.Client;
+
+public class ErrorController : Controller
+{
+    [HttpGet, HttpPost, Route("~/error")]
+    public IActionResult Error()
+    {
+        // If the error was not caused by an invalid
+        // OIDC request, display a generic error page.
+        var response = HttpContext.GetOpenIddictClientResponse();
+        if (response is null)
+        {
+            return View(new ErrorViewModel());
+        }
+
+        return View(new ErrorViewModel
+        {
+            Error = response.Error,
+            ErrorDescription = response.ErrorDescription
+        });
+    }
+}

sandbox/Mvc.Client/Controllers/HomeController.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Client/Controllers/HomeController.cs

@@ -3,9 +3,9 @@ using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
-using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+using OpenIddict.Client.AspNetCore;
 
-namespace Mvc.Client.Controllers;
+namespace OpenIddict.Sandbox.AspNetCore.Client.Controllers;
 
 public class HomeController : Controller
 {
@@ -20,12 +20,8 @@ public class HomeController : Controller
     [Authorize, HttpPost("~/")]
     public async Task<ActionResult> Index(CancellationToken cancellationToken)
     {
-        var token = await HttpContext.GetTokenAsync(CookieAuthenticationDefaults.AuthenticationScheme, OpenIdConnectParameterNames.AccessToken);
-        if (string.IsNullOrEmpty(token))
-        {
-            throw new InvalidOperationException("The access token cannot be found in the authentication ticket. " +
-                                                "Make sure that SaveTokens is set to true in the OIDC options.");
-        }
+        var token = await HttpContext.GetTokenAsync(CookieAuthenticationDefaults.AuthenticationScheme,
+            OpenIddictClientAspNetCoreConstants.Tokens.BackchannelAccessToken);
 
         using var client = _httpClientFactory.CreateClient();
 

sandbox/Mvc.Client/Mvc.Client.csproj → sandbox/OpenIddict.Sandbox.AspNetCore.Client/OpenIddict.Sandbox.AspNetCore.Client.csproj

@@ -6,6 +6,10 @@
     <Nullable>disable</Nullable>
   </PropertyGroup>
 
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\OpenIddict.AspNetCore\OpenIddict.AspNetCore.csproj" />
+  </ItemGroup>
+
   <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" />
   </ItemGroup>

sandbox/Mvc.Server/Program.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Client/Program.cs

@@ -1,4 +1,4 @@
-namespace Mvc.Server;
+namespace OpenIddict.Sandbox.AspNetCore.Client;
 
 public static class Program
 {

sandbox/Mvc.Client/Properties/launchSettings.json → sandbox/OpenIddict.Sandbox.AspNetCore.Client/Properties/launchSettings.json

@@ -15,7 +15,7 @@
         "ASPNETCORE_ENVIRONMENT": "Development"
       }
     },
-    "Mvc.Client": {
+    "OpenIddict.Sandbox.AspNetCore.Client": {
       "commandName": "Project",
       "launchBrowser": true,
       "environmentVariables": {

sandbox/OpenIddict.Sandbox.AspNetCore.Client/Startup.cs

@@ -0,0 +1,80 @@
+using Microsoft.AspNetCore.Authentication.Cookies;
+using OpenIddict.Abstractions;
+using OpenIddict.Client;
+using static OpenIddict.Abstractions.OpenIddictConstants;
+
+namespace OpenIddict.Sandbox.AspNetCore.Client;
+
+public class Startup
+{
+    public void ConfigureServices(IServiceCollection services)
+    {
+        services.AddAuthentication(options =>
+        {
+            options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+        })
+
+        .AddCookie(options =>
+        {
+            options.LoginPath = "/login";
+            options.LogoutPath = "/logout";
+            options.ExpireTimeSpan = TimeSpan.FromMinutes(50);
+            options.SlidingExpiration = false;
+        });
+
+        services.AddOpenIddict()
+            .AddClient(options =>
+            {
+                // Add a client registration matching the client application definition in the server project.
+                options.AddRegistration(new OpenIddictClientRegistration
+                {
+                    Issuer = new Uri("https://localhost:44395/", UriKind.Absolute),
+
+                    ClientId = "mvc",
+                    ClientSecret = "901564A5-E7FE-42CB-B10D-61EF6A8F3654",
+                    RedirectUri = new Uri("https://localhost:44381/signin-oidc", UriKind.Absolute),
+                    Scopes = { Scopes.Email, Scopes.Profile, Scopes.OfflineAccess, "demo_api" }
+                });
+
+                // Enable the redirection endpoint needed to handle the callback stage.
+                options.SetRedirectionEndpointUris(new Uri("/signin-oidc", UriKind.Relative));
+
+                // Register the ASP.NET Core host and configure the ASP.NET Core-specific options.
+                options.UseAspNetCore()
+                       .EnableStatusCodePagesIntegration()
+                       .EnableRedirectionEndpointPassthrough();
+
+                // Register the signing and encryption credentials used to protect
+                // sensitive data like the state tokens produced by OpenIddict.
+                options.AddDevelopmentEncryptionCertificate()
+                       .AddDevelopmentSigningCertificate();
+
+                // Register the System.Net.Http integration.
+                options.UseSystemNetHttp();
+            });
+
+        services.AddHttpClient();
+
+        services.AddControllersWithViews();
+    }
+
+    public void Configure(IApplicationBuilder app)
+    {
+        app.UseDeveloperExceptionPage();
+
+        app.UseStaticFiles();
+
+        app.UseStatusCodePagesWithReExecute("/error");
+
+        app.UseRouting();
+
+        app.UseAuthentication();
+        app.UseAuthorization();
+
+        app.UseEndpoints(options =>
+        {
+            options.MapControllers();
+            options.MapDefaultControllerRoute();
+        });
+    }
+}

sandbox/Mvc.Server/ViewModels/Shared/ErrorViewModel.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Client/ViewModels/Shared/ErrorViewModel.cs

@@ -1,6 +1,6 @@
 using System.ComponentModel.DataAnnotations;
 
-namespace Mvc.Server.ViewModels.Shared;
+namespace OpenIddict.Sandbox.AspNetCore.Client.ViewModels.Shared;
 
 public class ErrorViewModel
 {

sandbox/Mvc.Client/Views/Shared/_Layout.cshtml → sandbox/OpenIddict.Sandbox.AspNetCore.Client/Views/Shared/_Layout.cshtml

@@ -7,7 +7,7 @@
     <meta name="description" content="" />
     <meta name="author" content="" />
 
-    <title>Mvc.Client</title>
+    <title>OpenIddict.Sandbox.AspNetCore.Client</title>
 
     <link href="~/stylesheets/bootstrap.min.css" rel="stylesheet" />
     <link href="~/stylesheets/jumbotron-narrow.css" rel="stylesheet" />
@@ -16,7 +16,7 @@
 <body>
     <div class="container">
         <div class="header">
-            <h3 class="text-muted">Your application (Mvc.Client)</h3>
+            <h3 class="text-muted">Your application (OpenIddict.Sandbox.AspNetCore.Client)</h3>
         </div>
 
         @RenderBody()

sandbox/OpenIddict.Sandbox.AspNetCore.Client/Views/_ViewImports.cshtml

@@ -0,0 +1,3 @@
+@using OpenIddict.Sandbox.AspNetCore.Client
+@using OpenIddict.Sandbox.AspNetCore.Client.ViewModels.Shared
+@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers

sandbox/OpenIddict.Sandbox.AspNetCore.Client/web.config

@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+
+  <!-- To customize the asp.net core module uncomment and edit the following section. 
+  For more info see https://go.microsoft.com/fwlink/?linkid=838655 -->
+  <!--
+  <system.webServer>
+    <handlers>
+      <remove name="aspNetCore"/>
+      <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified"/>
+    </handlers>
+    <aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" />
+  </system.webServer>
+  -->
+
+  <system.webServer>
+    <security>
+      <requestFiltering>
+        <requestLimits maxQueryString="32768"/>
+      </requestFiltering>
+    </security>
+  </system.webServer>
+
+</configuration>

sandbox/Mvc.Server/Controllers/AccountController.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/AccountController.cs

@@ -3,11 +3,11 @@ using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Rendering;
-using Mvc.Server.Models;
-using Mvc.Server.Services;
-using Mvc.Server.ViewModels.Account;
+using OpenIddict.Sandbox.AspNetCore.Server.Models;
+using OpenIddict.Sandbox.AspNetCore.Server.Services;
+using OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Account;
 
-namespace Mvc.Server.Controllers;
+namespace OpenIddict.Sandbox.AspNetCore.Server.Controllers;
 
 [Authorize]
 public class AccountController : Controller

sandbox/Mvc.Server/Controllers/AuthorizationController.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/AuthorizationController.cs

@@ -11,14 +11,14 @@ using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Primitives;
-using Mvc.Server.Helpers;
-using Mvc.Server.Models;
-using Mvc.Server.ViewModels.Authorization;
+using OpenIddict.Sandbox.AspNetCore.Server.Helpers;
+using OpenIddict.Sandbox.AspNetCore.Server.Models;
+using OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Authorization;
 using OpenIddict.Abstractions;
 using OpenIddict.Server.AspNetCore;
 using static OpenIddict.Abstractions.OpenIddictConstants;
 
-namespace Mvc.Server;
+namespace OpenIddict.Sandbox.AspNetCore.Server;
 
 public class AuthorizationController : Controller
 {

sandbox/Mvc.Server/Controllers/ErrorController.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/ErrorController.cs

@@ -6,9 +6,9 @@
 
 using Microsoft.AspNetCore;
 using Microsoft.AspNetCore.Mvc;
-using Mvc.Server.ViewModels.Shared;
+using OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Shared;
 
-namespace Mvc.Server;
+namespace OpenIddict.Sandbox.AspNetCore.Server;
 
 public class ErrorController : Controller
 {

sandbox/Mvc.Server/Controllers/HomeController.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/HomeController.cs

@@ -1,6 +1,6 @@
 using Microsoft.AspNetCore.Mvc;
 
-namespace Mvc.Server.Controllers;
+namespace OpenIddict.Sandbox.AspNetCore.Server.Controllers;
 
 public class HomeController : Controller
 {

sandbox/Mvc.Server/Controllers/ManageController.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/ManageController.cs

@@ -1,11 +1,11 @@
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
-using Mvc.Server.Models;
-using Mvc.Server.Services;
-using Mvc.Server.ViewModels.Manage;
+using OpenIddict.Sandbox.AspNetCore.Server.Models;
+using OpenIddict.Sandbox.AspNetCore.Server.Services;
+using OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Manage;
 
-namespace Mvc.Server.Controllers;
+namespace OpenIddict.Sandbox.AspNetCore.Server.Controllers;
 
 [Authorize]
 public class ManageController : Controller

sandbox/Mvc.Server/Controllers/ResourceController.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/ResourceController.cs

@@ -2,12 +2,12 @@
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
-using Mvc.Server.Models;
+using OpenIddict.Sandbox.AspNetCore.Server.Models;
 using OpenIddict.Abstractions;
 using OpenIddict.Validation.AspNetCore;
 using static OpenIddict.Abstractions.OpenIddictConstants;
 
-namespace Mvc.Server.Controllers;
+namespace OpenIddict.Sandbox.AspNetCore.Server.Controllers;
 
 [Route("api")]
 public class ResourceController : Controller

sandbox/Mvc.Server/Controllers/UserinfoController.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/UserinfoController.cs

@@ -2,12 +2,12 @@
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
-using Mvc.Server.Models;
+using OpenIddict.Sandbox.AspNetCore.Server.Models;
 using OpenIddict.Abstractions;
 using OpenIddict.Server.AspNetCore;
 using static OpenIddict.Abstractions.OpenIddictConstants;
 
-namespace Mvc.Server.Controllers;
+namespace OpenIddict.Sandbox.AspNetCore.Server.Controllers;
 
 public class UserinfoController : Controller
 {

sandbox/Mvc.Server/Helpers/AsyncEnumerableExtensions.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/Helpers/AsyncEnumerableExtensions.cs

@@ -1,4 +1,4 @@
-namespace Mvc.Server.Helpers;
+namespace OpenIddict.Sandbox.AspNetCore.Server.Helpers;
 
 public static class AsyncEnumerableExtensions
 {

sandbox/Mvc.Server/Helpers/FormValueRequiredAttribute.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/Helpers/FormValueRequiredAttribute.cs

@@ -1,7 +1,7 @@
 using Microsoft.AspNetCore.Mvc.Abstractions;
 using Microsoft.AspNetCore.Mvc.ActionConstraints;
 
-namespace Mvc.Server.Helpers;
+namespace OpenIddict.Sandbox.AspNetCore.Server.Helpers;
 
 public sealed class FormValueRequiredAttribute : ActionMethodSelectorAttribute
 {

sandbox/Mvc.Server/Models/ApplicationDbContext.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/Models/ApplicationDbContext.cs

@@ -1,7 +1,7 @@
 using Microsoft.AspNetCore.Identity.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore;
 
-namespace Mvc.Server.Models;
+namespace OpenIddict.Sandbox.AspNetCore.Server.Models;
 
 public class ApplicationDbContext : IdentityDbContext<ApplicationUser>
 {

sandbox/Mvc.Server/Models/ApplicationUser.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/Models/ApplicationUser.cs

@@ -1,6 +1,6 @@
 using Microsoft.AspNetCore.Identity;
 
-namespace Mvc.Server.Models;
+namespace OpenIddict.Sandbox.AspNetCore.Server.Models;
 
 // Add profile data for application users by adding properties to the ApplicationUser class
 public class ApplicationUser : IdentityUser { }

sandbox/Mvc.Client/Program.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/Program.cs

@@ -1,4 +1,4 @@
-namespace Mvc.Client;
+namespace OpenIddict.Sandbox.AspNetCore.Server;
 
 public static class Program
 {

sandbox/Mvc.Server/Properties/launchSettings.json → sandbox/OpenIddict.Sandbox.AspNetCore.Server/Properties/launchSettings.json

@@ -15,7 +15,7 @@
         "ASPNETCORE_ENVIRONMENT": "Development"
       }
     },
-    "Mvc.Server": {
+    "OpenIddict.Sandbox.AspNetCore.Server": {
       "commandName": "Project",
       "launchBrowser": true,
       "environmentVariables": {

sandbox/Mvc.Server/Services/IEmailSender.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/Services/IEmailSender.cs

@@ -1,4 +1,4 @@
-namespace Mvc.Server.Services;
+namespace OpenIddict.Sandbox.AspNetCore.Server.Services;
 
 public interface IEmailSender
 {

sandbox/Mvc.Server/Services/ISmsSender.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/Services/ISmsSender.cs

@@ -1,4 +1,4 @@
-namespace Mvc.Server.Services;
+namespace OpenIddict.Sandbox.AspNetCore.Server.Services;
 
 public interface ISmsSender
 {

sandbox/Mvc.Server/Services/MessageServices.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/Services/MessageServices.cs

@@ -1,4 +1,4 @@
-namespace Mvc.Server.Services;
+namespace OpenIddict.Sandbox.AspNetCore.Server.Services;
 
 // This class is used by the application to send Email and SMS
 // when you turn on two-factor authentication in ASP.NET Identity.

sandbox/Mvc.Server/Startup.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/Startup.cs

@@ -1,11 +1,11 @@
 using Microsoft.AspNetCore.Identity;
 using Microsoft.EntityFrameworkCore;
-using Mvc.Server.Models;
-using Mvc.Server.Services;
+using OpenIddict.Sandbox.AspNetCore.Server.Models;
+using OpenIddict.Sandbox.AspNetCore.Server.Services;
 using Quartz;
 using static OpenIddict.Abstractions.OpenIddictConstants;
 
-namespace Mvc.Server;
+namespace OpenIddict.Sandbox.AspNetCore.Server;
 
 public class Startup
 {

sandbox/Mvc.Server/ViewModels/Account/ExternalLoginConfirmationViewModel.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/ViewModels/Account/ExternalLoginConfirmationViewModel.cs

@@ -1,6 +1,6 @@
 using System.ComponentModel.DataAnnotations;
 
-namespace Mvc.Server.ViewModels.Account;
+namespace OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Account;
 
 public class ExternalLoginConfirmationViewModel
 {

sandbox/Mvc.Server/ViewModels/Account/ForgotPasswordViewModel.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/ViewModels/Account/ForgotPasswordViewModel.cs

@@ -1,6 +1,6 @@
 using System.ComponentModel.DataAnnotations;
 
-namespace Mvc.Server.ViewModels.Account;
+namespace OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Account;
 
 public class ForgotPasswordViewModel
 {

sandbox/Mvc.Server/ViewModels/Account/LoginViewModel.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/ViewModels/Account/LoginViewModel.cs

@@ -1,6 +1,6 @@
 using System.ComponentModel.DataAnnotations;
 
-namespace Mvc.Server.ViewModels.Account;
+namespace OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Account;
 
 public class LoginViewModel
 {

sandbox/Mvc.Server/ViewModels/Account/RegisterViewModel.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/ViewModels/Account/RegisterViewModel.cs

@@ -1,6 +1,6 @@
 using System.ComponentModel.DataAnnotations;
 
-namespace Mvc.Server.ViewModels.Account;
+namespace OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Account;
 
 public class RegisterViewModel
 {

sandbox/Mvc.Server/ViewModels/Account/ResetPasswordViewModel.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/ViewModels/Account/ResetPasswordViewModel.cs

@@ -1,6 +1,6 @@
 using System.ComponentModel.DataAnnotations;
 
-namespace Mvc.Server.ViewModels.Account;
+namespace OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Account;
 
 public class ResetPasswordViewModel
 {

sandbox/Mvc.Server/ViewModels/Account/SendCodeViewModel.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/ViewModels/Account/SendCodeViewModel.cs

@@ -1,6 +1,6 @@
 using Microsoft.AspNetCore.Mvc.Rendering;
 
-namespace Mvc.Server.ViewModels.Account;
+namespace OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Account;
 
 public class SendCodeViewModel
 {

sandbox/Mvc.Server/ViewModels/Account/VerifyCodeViewModel.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/ViewModels/Account/VerifyCodeViewModel.cs

@@ -1,6 +1,6 @@
 using System.ComponentModel.DataAnnotations;
 
-namespace Mvc.Server.ViewModels.Account;
+namespace OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Account;
 
 public class VerifyCodeViewModel
 {

sandbox/Mvc.Server/ViewModels/Authorization/AuthorizeViewModel.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/ViewModels/Authorization/AuthorizeViewModel.cs

@@ -1,6 +1,6 @@
 using System.ComponentModel.DataAnnotations;
 
-namespace Mvc.Server.ViewModels.Authorization;
+namespace OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Authorization;
 
 public class AuthorizeViewModel
 {

sandbox/Mvc.Server/ViewModels/Authorization/VerifyViewModel.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/ViewModels/Authorization/VerifyViewModel.cs

@@ -3,7 +3,7 @@ using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.ModelBinding;
 using OpenIddict.Abstractions;
 
-namespace Mvc.Server.ViewModels.Authorization;
+namespace OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Authorization;
 
 public class VerifyViewModel
 {

sandbox/Mvc.Server/ViewModels/Manage/AddPhoneNumberViewModel.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/ViewModels/Manage/AddPhoneNumberViewModel.cs

@@ -1,6 +1,6 @@
 using System.ComponentModel.DataAnnotations;
 
-namespace Mvc.Server.ViewModels.Manage;
+namespace OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Manage;
 
 public class AddPhoneNumberViewModel
 {

sandbox/Mvc.Server/ViewModels/Manage/ChangePasswordViewModel.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/ViewModels/Manage/ChangePasswordViewModel.cs

@@ -1,6 +1,6 @@
 using System.ComponentModel.DataAnnotations;
 
-namespace Mvc.Server.ViewModels.Manage;
+namespace OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Manage;
 
 public class ChangePasswordViewModel
 {

sandbox/Mvc.Server/ViewModels/Manage/ConfigureTwoFactorViewModel.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/ViewModels/Manage/ConfigureTwoFactorViewModel.cs

@@ -1,6 +1,6 @@
 using Microsoft.AspNetCore.Mvc.Rendering;
 
-namespace Mvc.Server.ViewModels.Manage;
+namespace OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Manage;
 
 public class ConfigureTwoFactorViewModel
 {

sandbox/Mvc.Server/ViewModels/Manage/FactorViewModel.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/ViewModels/Manage/FactorViewModel.cs

@@ -1,4 +1,4 @@
-namespace Mvc.Server.ViewModels.Manage;
+namespace OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Manage;
 
 public class FactorViewModel
 {

sandbox/Mvc.Server/ViewModels/Manage/IndexViewModel.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/ViewModels/Manage/IndexViewModel.cs

@@ -1,6 +1,6 @@
 using Microsoft.AspNetCore.Identity;
 
-namespace Mvc.Server.ViewModels.Manage;
+namespace OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Manage;
 
 public class IndexViewModel
 {

sandbox/Mvc.Server/ViewModels/Manage/ManageLoginsViewModel.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/ViewModels/Manage/ManageLoginsViewModel.cs

@@ -1,7 +1,7 @@
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Identity;
 
-namespace Mvc.Server.ViewModels.Manage;
+namespace OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Manage;
 
 public class ManageLoginsViewModel
 {

sandbox/Mvc.Server/ViewModels/Manage/RemoveLoginViewModel.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/ViewModels/Manage/RemoveLoginViewModel.cs

@@ -1,4 +1,4 @@
-namespace Mvc.Server.ViewModels.Manage;
+namespace OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Manage;
 
 public class RemoveLoginViewModel
 {

sandbox/Mvc.Server/ViewModels/Manage/SetPasswordViewModel.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/ViewModels/Manage/SetPasswordViewModel.cs

@@ -1,6 +1,6 @@
 using System.ComponentModel.DataAnnotations;
 
-namespace Mvc.Server.ViewModels.Manage;
+namespace OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Manage;
 
 public class SetPasswordViewModel
 {

sandbox/Mvc.Server/ViewModels/Manage/VerifyPhoneNumberViewModel.cs → sandbox/OpenIddict.Sandbox.AspNetCore.Server/ViewModels/Manage/VerifyPhoneNumberViewModel.cs

@@ -1,6 +1,6 @@
 using System.ComponentModel.DataAnnotations;
 
-namespace Mvc.Server.ViewModels.Manage;
+namespace OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Manage;
 
 public class VerifyPhoneNumberViewModel
 {

sandbox/OpenIddict.Sandbox.AspNetCore.Server/ViewModels/Shared/ErrorViewModel.cs

@@ -0,0 +1,12 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Shared;
+
+public class ErrorViewModel
+{
+    [Display(Name = "Error")]
+    public string Error { get; set; }
+
+    [Display(Name = "Description")]
+    public string ErrorDescription { get; set; }
+}