diff --git a/src/OpenIddict.Abstractions/Managers/IOpenIddictAuthorizationManager.cs b/src/OpenIddict.Abstractions/Managers/IOpenIddictAuthorizationManager.cs
index a72ace97..a50cb1ba 100644
--- a/src/OpenIddict.Abstractions/Managers/IOpenIddictAuthorizationManager.cs
+++ b/src/OpenIddict.Abstractions/Managers/IOpenIddictAuthorizationManager.cs
@@ -347,12 +347,11 @@ public interface IOpenIddictAuthorizationManager
ValueTask PopulateAsync(object authorization, OpenIddictAuthorizationDescriptor descriptor, CancellationToken cancellationToken = default);
///
- /// Removes the authorizations that are marked as invalid and the ad-hoc ones that have no token attached.
+ /// Removes the authorizations that are marked as invalid and don't have any token attached.
/// Only authorizations created before the specified are removed.
///
///
- /// To ensure ad-hoc authorizations that no longer have any valid/non-expired token
- /// attached are correctly removed, the tokens should always be pruned first.
+ /// Since authorizations with tokens still attached are not deleted, tokens should always be pruned first.
///
/// The date before which authorizations are not pruned.
/// The that can be used to abort the operation.
diff --git a/src/OpenIddict.Abstractions/Stores/IOpenIddictAuthorizationStore.cs b/src/OpenIddict.Abstractions/Stores/IOpenIddictAuthorizationStore.cs
index b1526fd4..fda5ce1d 100644
--- a/src/OpenIddict.Abstractions/Stores/IOpenIddictAuthorizationStore.cs
+++ b/src/OpenIddict.Abstractions/Stores/IOpenIddictAuthorizationStore.cs
@@ -232,12 +232,11 @@ public interface IOpenIddictAuthorizationStore where TAuthorizat
TState state, CancellationToken cancellationToken);
///
- /// Removes the authorizations that are marked as invalid and the ad-hoc ones that have no token attached.
+ /// Removes the authorizations that are marked as invalid and don't have any token attached.
/// Only authorizations created before the specified are removed.
///
///
- /// To ensure ad-hoc authorizations that no longer have any valid/non-expired token
- /// attached are correctly removed, the tokens should always be pruned first.
+ /// Since authorizations with tokens still attached are not deleted, tokens should always be pruned first.
///
/// The date before which authorizations are not pruned.
/// The that can be used to abort the operation.
diff --git a/src/OpenIddict.EntityFramework/Stores/OpenIddictEntityFrameworkAuthorizationStore.cs b/src/OpenIddict.EntityFramework/Stores/OpenIddictEntityFrameworkAuthorizationStore.cs
index 434fe211..34f970b8 100644
--- a/src/OpenIddict.EntityFramework/Stores/OpenIddictEntityFrameworkAuthorizationStore.cs
+++ b/src/OpenIddict.EntityFramework/Stores/OpenIddictEntityFrameworkAuthorizationStore.cs
@@ -521,8 +521,8 @@ public class OpenIddictEntityFrameworkAuthorizationStore authorization.Tokens)
where authorization.CreationDate < date
- where authorization.Status != Statuses.Valid ||
- (authorization.Type == AuthorizationTypes.AdHoc && !authorization.Tokens.Any())
+ where authorization.Status != Statuses.Valid || authorization.Type == AuthorizationTypes.AdHoc
+ where !authorization.Tokens.Any()
orderby authorization.Id
select authorization).Take(1_000).ToListAsync(cancellationToken);
diff --git a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictEntityFrameworkCoreAuthorizationStore.cs b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictEntityFrameworkCoreAuthorizationStore.cs
index 239e33fa..a989cf04 100644
--- a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictEntityFrameworkCoreAuthorizationStore.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictEntityFrameworkCoreAuthorizationStore.cs
@@ -605,8 +605,8 @@ public class OpenIddictEntityFrameworkCoreAuthorizationStore authorization.Tokens).AsTracking()
where authorization.CreationDate < date
- where authorization.Status != Statuses.Valid ||
- (authorization.Type == AuthorizationTypes.AdHoc && !authorization.Tokens.Any())
+ where authorization.Status != Statuses.Valid || authorization.Type == AuthorizationTypes.AdHoc
+ where !authorization.Tokens.Any()
orderby authorization.Id
select authorization).Take(1_000).ToListAsync(cancellationToken);
diff --git a/src/OpenIddict.MongoDb/Stores/OpenIddictMongoDbAuthorizationStore.cs b/src/OpenIddict.MongoDb/Stores/OpenIddictMongoDbAuthorizationStore.cs
index 7f58382c..c8c20327 100644
--- a/src/OpenIddict.MongoDb/Stores/OpenIddictMongoDbAuthorizationStore.cs
+++ b/src/OpenIddict.MongoDb/Stores/OpenIddictMongoDbAuthorizationStore.cs
@@ -422,8 +422,8 @@ public class OpenIddictMongoDbAuthorizationStore : IOpenIddictAu
join token in database.GetCollection(Options.CurrentValue.TokensCollectionName).AsQueryable()
on authorization.Id equals token.AuthorizationId into tokens
where authorization.CreationDate < threshold.UtcDateTime
- where authorization.Status != Statuses.Valid ||
- (authorization.Type == AuthorizationTypes.AdHoc && !tokens.Any())
+ where authorization.Status != Statuses.Valid || authorization.Type == AuthorizationTypes.AdHoc
+ where !tokens.Any()
select authorization.Id).ToListAsync(cancellationToken);
// Note: to avoid generating delete requests with very large filters, a buffer is used here and the
diff --git a/src/OpenIddict.Quartz/OpenIddictQuartzJob.cs b/src/OpenIddict.Quartz/OpenIddictQuartzJob.cs
index 9048e48a..99e2e51c 100644
--- a/src/OpenIddict.Quartz/OpenIddictQuartzJob.cs
+++ b/src/OpenIddict.Quartz/OpenIddictQuartzJob.cs
@@ -59,10 +59,8 @@ public sealed class OpenIddictQuartzJob : IJob
try
{
- // Note: this background task is responsible for automatically removing orphaned tokens/authorizations
- // (i.e tokens that are no longer valid and ad-hoc authorizations that have no valid tokens associated).
- // Import: since tokens associated to ad-hoc authorizations are not removed as part of the same operation,
- // the tokens MUST be deleted before removing the ad-hoc authorizations that no longer have any token.
+ // Important: since authorizations that still have tokens attached are never
+ // pruned, the tokens MUST be deleted before deleting the authorizations.
if (!_options.CurrentValue.DisableTokenPruning)
{