diff --git a/sandbox/OpenIddict.Sandbox.AspNet.Server/Controllers/AuthorizationController.cs b/sandbox/OpenIddict.Sandbox.AspNet.Server/Controllers/AuthorizationController.cs index 7d516538..605f511a 100644 --- a/sandbox/OpenIddict.Sandbox.AspNet.Server/Controllers/AuthorizationController.cs +++ b/sandbox/OpenIddict.Sandbox.AspNet.Server/Controllers/AuthorizationController.cs @@ -377,6 +377,13 @@ namespace OpenIddict.Sandbox.AspNet.Server.Controllers nameType: Claims.Name, roleType: Claims.Role); + // Override the user claims present in the principal in case they + // changed since the authorization code/refresh token was issued. + identity.SetClaim(Claims.Subject, user.Id) + .SetClaim(Claims.Email, user.Email) + .SetClaim(Claims.Name, user.UserName) + .SetClaims(Claims.Role, (await context.Get().GetRolesAsync(user.Id)).ToImmutableArray()); + identity.SetDestinations(GetDestinations); // Ask OpenIddict to issue the appropriate access/identity tokens. diff --git a/sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/AuthorizationController.cs b/sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/AuthorizationController.cs index 4bcf1a71..ce5720af 100644 --- a/sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/AuthorizationController.cs +++ b/sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/AuthorizationController.cs @@ -493,10 +493,10 @@ public class AuthorizationController : Controller else if (request.IsAuthorizationCodeGrantType() || request.IsDeviceCodeGrantType() || request.IsRefreshTokenGrantType()) { // Retrieve the claims principal stored in the authorization code/device code/refresh token. - var principal = (await HttpContext.AuthenticateAsync(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme)).Principal; + var result = await HttpContext.AuthenticateAsync(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme); // Retrieve the user profile corresponding to the authorization code/refresh token. - var user = await _userManager.FindByIdAsync(principal.GetClaim(Claims.Subject)); + var user = await _userManager.FindByIdAsync(result.Principal.GetClaim(Claims.Subject)); if (user is null) { return Forbid( @@ -520,10 +520,22 @@ public class AuthorizationController : Controller })); } - principal.SetDestinations(GetDestinations); + var identity = new ClaimsIdentity(result.Principal.Claims, + authenticationType: TokenValidationParameters.DefaultAuthenticationType, + nameType: Claims.Name, + roleType: Claims.Role); + + // Override the user claims present in the principal in case they + // changed since the authorization code/refresh token was issued. + identity.SetClaim(Claims.Subject, await _userManager.GetUserIdAsync(user)) + .SetClaim(Claims.Email, await _userManager.GetEmailAsync(user)) + .SetClaim(Claims.Name, await _userManager.GetUserNameAsync(user)) + .SetClaims(Claims.Role, (await _userManager.GetRolesAsync(user)).ToImmutableArray()); + + identity.SetDestinations(GetDestinations); // Returning a SignInResult will ask OpenIddict to issue the appropriate access/identity tokens. - return SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme); + return SignIn(new ClaimsPrincipal(identity), OpenIddictServerAspNetCoreDefaults.AuthenticationScheme); } throw new InvalidOperationException("The specified grant type is not supported.");