From 7915f28d90d61fa7a3d34ed20ca8b56c0dd5eb26 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Fri, 21 Jul 2023 07:20:14 +0200
Subject: [PATCH] Store the expiration date of the backchannel/frontchannel
 access tokens as a token in AuthenticationProperties

---
 .../OpenIddictClientAspNetCoreConstants.cs    |  2 ++
 .../OpenIddictClientAspNetCoreHandler.cs      | 24 +++++++++++++++++++
 .../OpenIddictClientOwinConstants.cs          |  2 ++
 .../OpenIddictClientOwinHandler.cs            | 16 +++++++++++++
 .../OpenIddictClientEvents.cs                 | 10 ++++++++
 .../OpenIddictClientHandlers.cs               | 24 ++++++++++++++++---
 6 files changed, 75 insertions(+), 3 deletions(-)

diff --git a/src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreConstants.cs b/src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreConstants.cs
index ccc88f47..0791e7b3 100644
--- a/src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreConstants.cs
+++ b/src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreConstants.cs
@@ -35,8 +35,10 @@ public static class OpenIddictClientAspNetCoreConstants
     {
         public const string AuthorizationCode = "authorization_code";
         public const string BackchannelAccessToken = "backchannel_access_token";
+        public const string BackchannelAccessTokenExpirationDate = "backchannel_access_token_expiration_date";
         public const string BackchannelIdentityToken = "backchannel_id_token";
         public const string FrontchannelAccessToken = "frontchannel_access_token";
+        public const string FrontchannelAccessTokenExpirationDate = "frontchannel_access_token_expiration_date";
         public const string FrontchannelIdentityToken = "frontchannel_id_token";
         public const string RefreshToken = "refresh_token";
         public const string StateToken = "state_token";
diff --git a/src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandler.cs b/src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandler.cs
index 7dffffe7..6cb40923 100644
--- a/src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandler.cs
+++ b/src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandler.cs
@@ -6,6 +6,7 @@
 
 using System.ComponentModel;
 using System.Diagnostics;
+using System.Globalization;
 using System.Security.Claims;
 using System.Text.Encodings.Web;
 using System.Text.Json;
@@ -192,6 +193,9 @@ public sealed class OpenIddictClientAspNetCoreHandler : AuthenticationHandler<Op
 
             // Attach the tokens to allow any ASP.NET Core component (e.g a controller)
             // to retrieve them (e.g to make an API request to another application).
+            //
+            // Note: for consistency with the ASP.NET Core OpenID Connect handler, the expiration
+            // dates of the backchannel/frontchannel access tokens are also stored as tokens.
 
             if (!string.IsNullOrEmpty(context.AuthorizationCode))
             {
@@ -213,6 +217,16 @@ public sealed class OpenIddictClientAspNetCoreHandler : AuthenticationHandler<Op
                 });
             }
 
+            if (context.BackchannelAccessTokenExpirationDate is not null)
+            {
+                tokens ??= new(capacity: 1);
+                tokens.Add(new AuthenticationToken
+                {
+                    Name = Tokens.BackchannelAccessTokenExpirationDate,
+                    Value = context.BackchannelAccessTokenExpirationDate.Value.ToString("o", CultureInfo.InvariantCulture)
+                });
+            }
+
             if (!string.IsNullOrEmpty(context.BackchannelIdentityToken))
             {
                 tokens ??= new(capacity: 1);
@@ -233,6 +247,16 @@ public sealed class OpenIddictClientAspNetCoreHandler : AuthenticationHandler<Op
                 });
             }
 
+            if (context.FrontchannelAccessTokenExpirationDate is not null)
+            {
+                tokens ??= new(capacity: 1);
+                tokens.Add(new AuthenticationToken
+                {
+                    Name = Tokens.FrontchannelAccessTokenExpirationDate,
+                    Value = context.FrontchannelAccessTokenExpirationDate.Value.ToString("o", CultureInfo.InvariantCulture)
+                });
+            }
+
             if (!string.IsNullOrEmpty(context.FrontchannelIdentityToken))
             {
                 tokens ??= new(capacity: 1);
diff --git a/src/OpenIddict.Client.Owin/OpenIddictClientOwinConstants.cs b/src/OpenIddict.Client.Owin/OpenIddictClientOwinConstants.cs
index 942ed1ac..e928415a 100644
--- a/src/OpenIddict.Client.Owin/OpenIddictClientOwinConstants.cs
+++ b/src/OpenIddict.Client.Owin/OpenIddictClientOwinConstants.cs
@@ -52,8 +52,10 @@ public static class OpenIddictClientOwinConstants
     {
         public const string AuthorizationCode = "authorization_code";
         public const string BackchannelAccessToken = "backchannel_access_token";
+        public const string BackchannelAccessTokenExpirationDate = "backchannel_access_token_expiration_date";
         public const string BackchannelIdentityToken = "backchannel_id_token";
         public const string FrontchannelAccessToken = "frontchannel_access_token";
+        public const string FrontchannelAccessTokenExpirationDate = "frontchannel_access_token_expiration_date";
         public const string FrontchannelIdentityToken = "frontchannel_id_token";
         public const string RefreshToken = "refresh_token";
         public const string StateToken = "state_token";
diff --git a/src/OpenIddict.Client.Owin/OpenIddictClientOwinHandler.cs b/src/OpenIddict.Client.Owin/OpenIddictClientOwinHandler.cs
index 9fd5b88a..34639b7d 100644
--- a/src/OpenIddict.Client.Owin/OpenIddictClientOwinHandler.cs
+++ b/src/OpenIddict.Client.Owin/OpenIddictClientOwinHandler.cs
@@ -8,6 +8,7 @@ using System.Collections.Immutable;
 using System.ComponentModel;
 using System.Diagnostics;
 using System.Diagnostics.CodeAnalysis;
+using System.Globalization;
 using System.Runtime.CompilerServices;
 using System.Security.Claims;
 using System.Text.Json;
@@ -208,6 +209,9 @@ public sealed class OpenIddictClientOwinHandler : AuthenticationHandler<OpenIddi
 
             // Attach the tokens to allow any OWIN component (e.g a controller)
             // to retrieve them (e.g to make an API request to another application).
+            //
+            // Note: for consistency with the OWIN OpenID Connect middleware, the expiration
+            // dates of the backchannel/frontchannel access tokens are also stored as tokens.
 
             if (!string.IsNullOrEmpty(context.AuthorizationCode))
             {
@@ -219,6 +223,12 @@ public sealed class OpenIddictClientOwinHandler : AuthenticationHandler<OpenIddi
                 properties.Dictionary[Tokens.BackchannelAccessToken] = context.BackchannelAccessToken;
             }
 
+            if (context.BackchannelAccessTokenExpirationDate is not null)
+            {
+                properties.Dictionary[Tokens.BackchannelAccessTokenExpirationDate] =
+                    context.BackchannelAccessTokenExpirationDate.Value.ToString("o", CultureInfo.InvariantCulture);
+            }
+
             if (!string.IsNullOrEmpty(context.BackchannelIdentityToken))
             {
                 properties.Dictionary[Tokens.BackchannelIdentityToken] = context.BackchannelIdentityToken;
@@ -229,6 +239,12 @@ public sealed class OpenIddictClientOwinHandler : AuthenticationHandler<OpenIddi
                 properties.Dictionary[Tokens.FrontchannelAccessToken] = context.FrontchannelAccessToken;
             }
 
+            if (context.FrontchannelAccessTokenExpirationDate is not null)
+            {
+                properties.Dictionary[Tokens.FrontchannelAccessTokenExpirationDate] =
+                    context.FrontchannelAccessTokenExpirationDate.Value.ToString("o", CultureInfo.InvariantCulture);
+            }
+
             if (!string.IsNullOrEmpty(context.FrontchannelIdentityToken))
             {
                 properties.Dictionary[Tokens.FrontchannelIdentityToken] = context.FrontchannelIdentityToken;
diff --git a/src/OpenIddict.Client/OpenIddictClientEvents.cs b/src/OpenIddict.Client/OpenIddictClientEvents.cs
index 76eaee4c..ae2d627b 100644
--- a/src/OpenIddict.Client/OpenIddictClientEvents.cs
+++ b/src/OpenIddict.Client/OpenIddictClientEvents.cs
@@ -683,6 +683,11 @@ public static partial class OpenIddictClientEvents
         /// </summary>
         public string? BackchannelAccessToken { get; set; }
 
+        /// <summary>
+        /// Gets or sets the expiration date of the backchannel access token, if applicable.
+        /// </summary>
+        public DateTimeOffset? BackchannelAccessTokenExpirationDate { get; set; }
+
         /// <summary>
         /// Gets or sets the backchannel identity token to validate, if applicable.
         /// </summary>
@@ -698,6 +703,11 @@ public static partial class OpenIddictClientEvents
         /// </summary>
         public string? FrontchannelAccessToken { get; set; }
 
+        /// <summary>
+        /// Gets or sets the expiration date of the frontchannel access token, if applicable.
+        /// </summary>
+        public DateTimeOffset? FrontchannelAccessTokenExpirationDate { get; set; }
+
         /// <summary>
         /// Gets or sets the frontchannel identity token to validate, if applicable.
         /// </summary>
diff --git a/src/OpenIddict.Client/OpenIddictClientHandlers.cs b/src/OpenIddict.Client/OpenIddictClientHandlers.cs
index 02c64733..43f1224f 100644
--- a/src/OpenIddict.Client/OpenIddictClientHandlers.cs
+++ b/src/OpenIddict.Client/OpenIddictClientHandlers.cs
@@ -1392,6 +1392,15 @@ public static partial class OpenIddictClientHandlers
                 _ => null
             };
 
+            context.FrontchannelAccessTokenExpirationDate = context.EndpointType switch
+            {
+                OpenIddictClientEndpointType.Redirection when context.ExtractFrontchannelAccessToken
+                    => ((long?) context.Request[Parameters.ExpiresIn]) is long value ?
+                        DateTimeOffset.UtcNow.AddSeconds(value) : null,
+
+                _ => null
+            };
+
             context.FrontchannelIdentityToken = context.EndpointType switch
             {
                 OpenIddictClientEndpointType.Redirection when context.ExtractFrontchannelIdentityToken
@@ -2721,9 +2730,18 @@ public static partial class OpenIddictClientHandlers
 
             Debug.Assert(context.TokenResponse is not null, SR.GetResourceString(SR.ID4007));
 
-            context.BackchannelAccessToken   = context.ExtractBackchannelAccessToken   ? context.TokenResponse.AccessToken  : null;
-            context.BackchannelIdentityToken = context.ExtractBackchannelIdentityToken ? context.TokenResponse.IdToken      : null;
-            context.RefreshToken             = context.ExtractRefreshToken             ? context.TokenResponse.RefreshToken : null;
+            context.BackchannelAccessToken = context.ExtractBackchannelAccessToken ?
+                context.TokenResponse.AccessToken : null;
+
+            context.BackchannelAccessTokenExpirationDate =
+                context.ExtractBackchannelAccessToken &&
+                context.TokenResponse.ExpiresIn is long value ? DateTimeOffset.UtcNow.AddSeconds(value) : null;
+
+            context.BackchannelIdentityToken = context.ExtractBackchannelIdentityToken ?
+                context.TokenResponse.IdToken : null;
+
+            context.RefreshToken = context.ExtractRefreshToken ?
+                context.TokenResponse.RefreshToken : null;
 
             return default;
         }