Update the aspnet-contrib dependencies and introduce a new OpenIddictServerBuilder.AddSigningCertificate() extension accepting a X509KeyStorageFlags parameter

build/dependencies.props

@@ -1,8 +1,8 @@
 <Project>
 
   <PropertyGroup Label="Package Versions">
-    <AspNetContribOpenIdExtensionsVersion>2.0.0-rc3-final</AspNetContribOpenIdExtensionsVersion>
-    <AspNetContribOpenIdServerVersion>2.0.0-rc3-final</AspNetContribOpenIdServerVersion>
+    <AspNetContribOpenIdExtensionsVersion>2.0.0-rtm-0318</AspNetContribOpenIdExtensionsVersion>
+    <AspNetContribOpenIdServerVersion>2.0.0-rtm-1400</AspNetContribOpenIdServerVersion>
     <AspNetCoreVersion>2.0.0</AspNetCoreVersion>
     <CoreFxVersion>4.4.0</CoreFxVersion>
     <CryptoHelperVersion>3.0.2</CryptoHelperVersion>

src/OpenIddict.Server/Internal/OpenIddictServerProvider.Helpers.cs

@@ -490,7 +490,7 @@ namespace OpenIddict.Server
             }
         }
 
-        private async Task<bool> TryExtendTokenAsync(
+        private async Task<bool> TryExtendRefreshTokenAsync(
             [NotNull] object token, [NotNull] AuthenticationTicket ticket, [NotNull] OpenIddictServerOptions options)
         {
             var identifier = ticket.GetProperty(OpenIddictConstants.Properties.InternalTokenId);
@@ -499,15 +499,26 @@ namespace OpenIddict.Server
             try
             {
                 // Compute the new expiration date of the refresh token.
-                var date = options.SystemClock.UtcNow;
-                date += ticket.GetRefreshTokenLifetime() ?? options.RefreshTokenLifetime;
+                var lifetime = ticket.GetRefreshTokenLifetime() ?? options.RefreshTokenLifetime;
+                if (lifetime != null)
+                {
+                    // Note: the request cancellation token is deliberately not used here to ensure the caller
+                    // cannot prevent this operation from being executed by resetting the TCP connection.
+                    var date = options.SystemClock.UtcNow + lifetime;
+                    await _tokenManager.ExtendAsync(token, date);
 
-                // Note: the request cancellation token is deliberately not used here to ensure the caller
-                // cannot prevent this operation from being executed by resetting the TCP connection.
-                await _tokenManager.ExtendAsync(token, date);
+                    _logger.LogInformation("The expiration date of the refresh token '{Identifier}' " +
+                                           "was automatically updated: {Date}.", identifier, date);
+                }
 
-                _logger.LogInformation("The expiration date of the refresh token '{Identifier}' " +
-                                       "was automatically updated: {Date}.", identifier, date);
+                else
+                {
+                    // Note: the request cancellation token is deliberately not used here to ensure the caller
+                    // cannot prevent this operation from being executed by resetting the TCP connection.
+                    await _tokenManager.ExtendAsync(token, date: null);
+
+                    _logger.LogInformation("The expiration date of the refresh token '{Identifier}' was removed.", identifier);
+                }
 
                 return true;
             }

src/OpenIddict.Server/Internal/OpenIddictServerProvider.cs

@@ -183,7 +183,7 @@ namespace OpenIddict.Server
                         // already updated the expiration date associated with the refresh token.
                         if (!options.UseRollingTokens && options.UseSlidingExpiration)
                         {
-                            await TryExtendTokenAsync(token, context.Ticket, options);
+                            await TryExtendRefreshTokenAsync(token, context.Ticket, options);
                         }
                     }
                 }

src/OpenIddict.Server/OpenIddictServerBuilder.cs

@@ -282,6 +282,37 @@ namespace Microsoft.Extensions.DependencyInjection
             return Configure(options => options.SigningCredentials.AddCertificate(assembly, resource, password));
         }
 
+        /// <summary>
+        /// Registers a <see cref="X509Certificate2"/> retrieved from an
+        /// embedded resource and used to sign the JWT tokens issued by OpenIddict.
+        /// </summary>
+        /// <param name="assembly">The assembly containing the certificate.</param>
+        /// <param name="resource">The name of the embedded resource.</param>
+        /// <param name="password">The password used to open the certificate.</param>
+        /// <param name="flags">An enumeration of flags indicating how and where to store the private key of the certificate.</param>
+        /// <returns>The <see cref="OpenIddictServerBuilder"/>.</returns>
+        public OpenIddictServerBuilder AddSigningCertificate(
+            [NotNull] Assembly assembly, [NotNull] string resource,
+            [NotNull] string password, X509KeyStorageFlags flags)
+        {
+            if (assembly == null)
+            {
+                throw new ArgumentNullException(nameof(assembly));
+            }
+
+            if (string.IsNullOrEmpty(resource))
+            {
+                throw new ArgumentNullException(nameof(resource));
+            }
+
+            if (string.IsNullOrEmpty(password))
+            {
+                throw new ArgumentException("The password cannot be null or empty.", nameof(password));
+            }
+
+            return Configure(options => options.SigningCredentials.AddCertificate(assembly, resource, password, flags));
+        }
+
         /// <summary>
         /// Registers a <see cref="X509Certificate2"/> extracted from a
         /// stream and used to sign the JWT tokens issued by OpenIddict.