Update the samples to demonstrate how to override the claims resolved from authorization codes/refresh tokens

sandbox/OpenIddict.Sandbox.AspNet.Server/Controllers/AuthorizationController.cs

@@ -377,6 +377,13 @@ namespace OpenIddict.Sandbox.AspNet.Server.Controllers
                     nameType: Claims.Name,
                     roleType: Claims.Role);
 
+                // Override the user claims present in the principal in case they
+                // changed since the authorization code/refresh token was issued.
+                identity.SetClaim(Claims.Subject, user.Id)
+                        .SetClaim(Claims.Email, user.Email)
+                        .SetClaim(Claims.Name, user.UserName)
+                        .SetClaims(Claims.Role, (await context.Get<ApplicationUserManager>().GetRolesAsync(user.Id)).ToImmutableArray());
+
                 identity.SetDestinations(GetDestinations);
 
                 // Ask OpenIddict to issue the appropriate access/identity tokens.

sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/AuthorizationController.cs

@@ -493,10 +493,10 @@ public class AuthorizationController : Controller
         else if (request.IsAuthorizationCodeGrantType() || request.IsDeviceCodeGrantType() || request.IsRefreshTokenGrantType())
         {
             // Retrieve the claims principal stored in the authorization code/device code/refresh token.
-            var principal = (await HttpContext.AuthenticateAsync(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme)).Principal;
+            var result = await HttpContext.AuthenticateAsync(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
 
             // Retrieve the user profile corresponding to the authorization code/refresh token.
-            var user = await _userManager.FindByIdAsync(principal.GetClaim(Claims.Subject));
+            var user = await _userManager.FindByIdAsync(result.Principal.GetClaim(Claims.Subject));
             if (user is null)
             {
                 return Forbid(
@@ -520,10 +520,22 @@ public class AuthorizationController : Controller
                     }));
             }
 
-            principal.SetDestinations(GetDestinations);
+            var identity = new ClaimsIdentity(result.Principal.Claims,
+                authenticationType: TokenValidationParameters.DefaultAuthenticationType,
+                nameType: Claims.Name,
+                roleType: Claims.Role);
+
+            // Override the user claims present in the principal in case they
+            // changed since the authorization code/refresh token was issued.
+            identity.SetClaim(Claims.Subject, await _userManager.GetUserIdAsync(user))
+                    .SetClaim(Claims.Email, await _userManager.GetEmailAsync(user))
+                    .SetClaim(Claims.Name, await _userManager.GetUserNameAsync(user))
+                    .SetClaims(Claims.Role, (await _userManager.GetRolesAsync(user)).ToImmutableArray());
+
+            identity.SetDestinations(GetDestinations);
 
             // Returning a SignInResult will ask OpenIddict to issue the appropriate access/identity tokens.
-            return SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
+            return SignIn(new ClaimsPrincipal(identity), OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
         }
 
         throw new InvalidOperationException("The specified grant type is not supported.");