Port the sign-in integration tests

src/OpenIddict.Server/OpenIddictServerEvents.cs

@@ -247,17 +247,6 @@ namespace OpenIddict.Server
             /// Gets the client identifier, or <c>null</c> if the client application is unknown.
             /// </summary>
             public string ClientId => Request.ClientId;
-
-            /// <summary>
-            /// Gets a boolean indicating whether the
-            /// <see cref="HandleAuthentication()"/> method was called.
-            /// </summary>
-            public bool IsHandled { get; private set; }
-
-            /// <summary>
-            /// Marks the authentication process as handled by the application code.
-            /// </summary>
-            public void HandleAuthentication() => IsHandled = true;
         }
 
         /// <summary>

src/OpenIddict.Server/OpenIddictServerHandlers.Authentication.cs

@@ -301,7 +301,7 @@ namespace OpenIddict.Server
                         else if (@event.IsRejected)
                         {
                             context.Reject(
-                                error: @event.Error ?? Errors.InvalidGrant,
+                                error: @event.Error ?? Errors.InvalidRequest,
                                 description: @event.ErrorDescription,
                                 uri: @event.ErrorUri);
                             return;

src/OpenIddict.Server/OpenIddictServerHandlers.Exchange.cs

@@ -299,7 +299,7 @@ namespace OpenIddict.Server
                         else if (@event.IsRejected)
                         {
                             context.Reject(
-                                error: @event.Error ?? Errors.InvalidGrant,
+                                error: @event.Error ?? Errors.InvalidRequest,
                                 description: @event.ErrorDescription,
                                 uri: @event.ErrorUri);
                             return;

src/OpenIddict.Server/OpenIddictServerHandlers.cs

@@ -55,7 +55,7 @@ namespace OpenIddict.Server
             /*
             * Sign-in processing:
             */
-            ValidateSigninDemand.Descriptor,
+            ValidateSignInDemand.Descriptor,
             RestoreInternalClaims.Descriptor,
             AttachDefaultScopes.Descriptor,
             AttachDefaultPresenters.Descriptor,
@@ -156,7 +156,6 @@ namespace OpenIddict.Server
                         .AppendLine("to validate a token for an invalid grant type (e.g password).")
                         .ToString());
 
-
                     default: throw new InvalidOperationException(new StringBuilder()
                         .AppendLine("An identity cannot be extracted from this request.")
                         .Append("This generally indicates that the OpenIddict server stack was asked ")
@@ -1221,14 +1220,14 @@ namespace OpenIddict.Server
         /// Contains the logic responsible of ensuring that the sign-in demand
         /// is compatible with the type of the endpoint that handled the request.
         /// </summary>
-        public class ValidateSigninDemand : IOpenIddictServerHandler<ProcessSignInContext>
+        public class ValidateSignInDemand : IOpenIddictServerHandler<ProcessSignInContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
             /// </summary>
             public static OpenIddictServerHandlerDescriptor Descriptor { get; }
                 = OpenIddictServerHandlerDescriptor.CreateBuilder<ProcessSignInContext>()
-                    .UseSingletonHandler<ValidateSigninDemand>()
+                    .UseSingletonHandler<ValidateSignInDemand>()
                     .SetOrder(int.MinValue + 100_000)
                     .Build();
 
@@ -1303,7 +1302,7 @@ namespace OpenIddict.Server
                 if (string.IsNullOrEmpty(context.Principal.GetClaim(Claims.Subject)))
                 {
                     throw new InvalidOperationException(new StringBuilder()
-                        .AppendLine("The specified principal was rejected because the mandatory subject claim was missing.")
+                        .Append("The specified principal was rejected because the mandatory subject claim was missing.")
                         .ToString());
                 }
 
@@ -1322,7 +1321,7 @@ namespace OpenIddict.Server
             public static OpenIddictServerHandlerDescriptor Descriptor { get; }
                 = OpenIddictServerHandlerDescriptor.CreateBuilder<ProcessSignInContext>()
                     .UseSingletonHandler<RestoreInternalClaims>()
-                    .SetOrder(ValidateSigninDemand.Descriptor.Order + 1_000)
+                    .SetOrder(ValidateSignInDemand.Descriptor.Order + 1_000)
                     .Build();
 
             /// <summary>
@@ -1754,6 +1753,13 @@ namespace OpenIddict.Server
                         return true;
                     }
 
+                    // Never exclude the presenters and scope private claims.
+                    if (string.Equals(claim.Type, Claims.Private.Presenters, StringComparison.OrdinalIgnoreCase) ||
+                        string.Equals(claim.Type, Claims.Private.Scopes, StringComparison.OrdinalIgnoreCase))
+                    {
+                        return true;
+                    }
+
                     // Never include the public or internal token identifiers to ensure the identifiers
                     // that are automatically inherited from the parent token are not reused for the new token.
                     if (string.Equals(claim.Type, Claims.JwtId, StringComparison.OrdinalIgnoreCase) ||
@@ -1807,22 +1813,13 @@ namespace OpenIddict.Server
                 // Set the public audiences collection using the private resource claims stored in the principal.
                 principal.SetAudiences(context.Principal.GetResources());
 
-                // Set the authorized party using the first presenters (typically the client identifier), if available.
-                principal.SetClaim(Claims.AuthorizedParty, context.Principal.GetPresenters().FirstOrDefault());
-
-                // Set the public scope claim using the private scope claims from the principal.
-                // Note: scopes are deliberately formatted as a single space-separated
-                // string to respect the usual representation of the standard scope claim.
-                // See https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-02.
-                principal.SetClaim(Claims.Scope, string.Join(" ", context.Principal.GetScopes()));
-
                 // When receiving a grant_type=refresh_token request, determine whether the client application
                 // requests a limited set of scopes and immediately replace the scopes collection if necessary.
                 if (context.EndpointType == OpenIddictServerEndpointType.Token &&
                     context.Request.IsRefreshTokenGrantType() && !string.IsNullOrEmpty(context.Request.Scope))
                 {
                     var scopes = context.Request.GetScopes();
-                    principal.SetClaim(Claims.Scope, string.Join(" ", scopes.Intersect(context.Principal.GetScopes())));
+                    principal.SetScopes(scopes.Intersect(context.Principal.GetScopes()));
 
                     context.Logger.LogDebug("The access token scopes will be limited to the scopes " +
                                             "requested by the client application: {Scopes}.", scopes);
@@ -2695,6 +2692,26 @@ namespace OpenIddict.Server
                     return default;
                 }
 
+                // Copy the principal and exclude the presenters/scopes private claims,
+                // that are manually mapped to public standard azp/scope JWT claims.
+                var principal = context.AccessTokenPrincipal.Clone(claim => claim.Type switch
+                {
+                    Claims.Private.Presenters => false,
+                    Claims.Private.Scopes     => false,
+                    Claims.Private.TokenId    => false,
+
+                    _ => true
+                });
+
+                // Set the authorized party using the first presenters (typically the client identifier), if available.
+                principal.SetClaim(Claims.AuthorizedParty, context.AccessTokenPrincipal.GetPresenters().FirstOrDefault());
+
+                // Set the public scope claim using the private scope claims from the principal.
+                // Note: scopes are deliberately formatted as a single space-separated
+                // string to respect the usual representation of the standard scope claim.
+                // See https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-02.
+                principal.SetClaim(Claims.Scope, string.Join(" ", context.AccessTokenPrincipal.GetScopes()));
+
                 var token = context.Options.JsonWebTokenHandler.CreateToken(new SecurityTokenDescriptor
                 {
                     AdditionalHeaderClaims = new Dictionary<string, object>(StringComparer.Ordinal)
@@ -2704,7 +2721,7 @@ namespace OpenIddict.Server
                     Issuer = context.Issuer?.AbsoluteUri,
                     SigningCredentials = context.Options.SigningCredentials.FirstOrDefault(credentials =>
                         credentials.Key is SymmetricSecurityKey) ?? context.Options.SigningCredentials.First(),
-                    Subject = (ClaimsIdentity) context.AccessTokenPrincipal.Identity
+                    Subject = (ClaimsIdentity) principal.Identity
                 });
 
                 var credentials = context.Options.EncryptionCredentials.FirstOrDefault(
@@ -2723,7 +2740,7 @@ namespace OpenIddict.Server
                 context.Logger.LogTrace("The access token '{Identifier}' was successfully created: {Payload}. " +
                                         "The principal used to create the token contained the following claims: {Claims}.",
                                         context.AccessTokenPrincipal.GetClaim(Claims.JwtId),
-                                        context.Response.AccessToken, context.AccessTokenPrincipal.Claims);
+                                        context.Response.AccessToken, principal.Claims);
 
                 return default;
             }

src/OpenIddict.Server/OpenIddictServerProvider.cs

@@ -67,10 +67,6 @@ namespace OpenIddict.Server
                         _logger.LogDebug("The request was rejected in user code.");
                         return;
 
-                    case BaseValidatingTicketContext notification when notification.IsHandled:
-                        _logger.LogDebug("Authentication was handled in user code.");
-                        return;
-
                     default: continue;
                 }
             }

test/OpenIddict.Abstractions.Tests/Primitives/OpenIddictExtensionsTests.cs

@@ -1362,7 +1362,7 @@ namespace OpenIddict.Abstractions.Tests.Primitives
             var identity = (ClaimsIdentity) null;
 
             // Act and assert
-            var exception = Assert.Throws<ArgumentNullException>(() => identity.Clone(c => true));
+            var exception = Assert.Throws<ArgumentNullException>(() => identity.Clone(claim => true));
 
             Assert.Equal("identity", exception.ParamName);
         }
@@ -1375,7 +1375,7 @@ namespace OpenIddict.Abstractions.Tests.Primitives
             identity.AddClaim("type", "value");
 
             // Act
-            var copy = identity.Clone(c => true);
+            var copy = identity.Clone(claim => true);
 
             // Assert
             Assert.Equal("value", copy.GetClaim("type"));
@@ -1389,7 +1389,7 @@ namespace OpenIddict.Abstractions.Tests.Primitives
             var principal = (ClaimsPrincipal) null;
 
             // Act and assert
-            var exception = Assert.Throws<ArgumentNullException>(() => principal.Clone(c => true));
+            var exception = Assert.Throws<ArgumentNullException>(() => principal.Clone(claim => true));
 
             Assert.Equal("principal", exception.ParamName);
         }
@@ -1404,7 +1404,7 @@ namespace OpenIddict.Abstractions.Tests.Primitives
             var principal = new ClaimsPrincipal(identity);
 
             // Act
-            var copy = principal.Clone(c => true);
+            var copy = principal.Clone(claim => true);
 
             // Assert
             Assert.Equal("Bob le Bricoleur", copy.GetClaim(Claims.Name));
@@ -1419,7 +1419,7 @@ namespace OpenIddict.Abstractions.Tests.Primitives
             identity.AddClaim("type", "value");
 
             // Act
-            var copy = identity.Clone(c => true);
+            var copy = identity.Clone(claim => true);
             copy.AddClaim("clone_type", "value");
 
             // Assert
@@ -1437,7 +1437,7 @@ namespace OpenIddict.Abstractions.Tests.Primitives
             var principal = new ClaimsPrincipal(identity);
 
             // Act
-            var copy = principal.Clone(c => true);
+            var copy = principal.Clone(claim => true);
             copy.SetClaim("clone_claim", "value");
 
             // Assert

test/OpenIddict.Server.IntegrationTests/OpenIddictServerIntegrationTests.Exchange.cs

@@ -300,7 +300,8 @@ namespace OpenIddict.Server.FunctionalTests
                         Assert.Equal(TokenTypeHints.AuthorizationCode, context.TokenType);
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
-                            .SetExpirationDate(DateTimeOffset.UtcNow - TimeSpan.FromDays(1));
+                            .SetExpirationDate(DateTimeOffset.UtcNow - TimeSpan.FromDays(1))
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -338,7 +339,8 @@ namespace OpenIddict.Server.FunctionalTests
                         Assert.Equal(TokenTypeHints.RefreshToken, context.TokenType);
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
-                            .SetExpirationDate(DateTimeOffset.UtcNow - TimeSpan.FromDays(1));
+                            .SetExpirationDate(DateTimeOffset.UtcNow - TimeSpan.FromDays(1))
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -375,7 +377,8 @@ namespace OpenIddict.Server.FunctionalTests
                         Assert.Equal(TokenTypeHints.AuthorizationCode, context.TokenType);
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
-                            .SetPresenters(Enumerable.Empty<string>());
+                            .SetPresenters(Enumerable.Empty<string>())
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -414,7 +417,8 @@ namespace OpenIddict.Server.FunctionalTests
                         Assert.Equal(TokenTypeHints.AuthorizationCode, context.TokenType);
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
-                            .SetPresenters("Contoso");
+                            .SetPresenters("Contoso")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -452,7 +456,8 @@ namespace OpenIddict.Server.FunctionalTests
                         Assert.Equal(TokenTypeHints.RefreshToken, context.TokenType);
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
-                            .SetPresenters("Contoso");
+                            .SetPresenters("Contoso")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -491,6 +496,7 @@ namespace OpenIddict.Server.FunctionalTests
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
                             .SetPresenters("Fabrikam")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur")
                             .SetClaim(Claims.Private.RedirectUri, "http://www.fabrikam.com/callback");
 
                         return default;
@@ -531,6 +537,7 @@ namespace OpenIddict.Server.FunctionalTests
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
                             .SetPresenters("Fabrikam")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur")
                             .SetClaim(Claims.Private.RedirectUri, "http://www.fabrikam.com/callback");
 
                         return default;
@@ -572,6 +579,7 @@ namespace OpenIddict.Server.FunctionalTests
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
                             .SetPresenters("Fabrikam")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur")
                             .SetClaim(Claims.Private.CodeChallenge, "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM")
                             .SetClaim(Claims.Private.CodeChallengeMethod, CodeChallengeMethods.Sha256);
 
@@ -613,6 +621,7 @@ namespace OpenIddict.Server.FunctionalTests
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
                             .SetPresenters("Fabrikam")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur")
                             .SetClaim(Claims.Private.CodeChallenge, "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM")
                             .SetClaim(Claims.Private.CodeChallengeMethod, null);
 
@@ -655,6 +664,7 @@ namespace OpenIddict.Server.FunctionalTests
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
                             .SetPresenters("Fabrikam")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur")
                             .SetClaim(Claims.Private.CodeChallenge, "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM")
                             .SetClaim(Claims.Private.CodeChallengeMethod, "custom_code_challenge_method");
 
@@ -699,6 +709,7 @@ namespace OpenIddict.Server.FunctionalTests
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
                             .SetPresenters("Fabrikam")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur")
                             .SetClaim(Claims.Private.CodeChallenge, challenge)
                             .SetClaim(Claims.Private.CodeChallengeMethod, method);
 
@@ -741,8 +752,8 @@ namespace OpenIddict.Server.FunctionalTests
                         Assert.Equal(TokenTypeHints.AuthorizationCode, context.TokenType);
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
-                            .SetClaim(Claims.Subject, "Bob le Magnifique")
                             .SetPresenters("Fabrikam")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur")
                             .SetClaim(Claims.Private.CodeChallenge, challenge)
                             .SetClaim(Claims.Private.CodeChallengeMethod, method);
 
@@ -783,7 +794,8 @@ namespace OpenIddict.Server.FunctionalTests
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
                             .SetPresenters("Fabrikam")
-                            .SetScopes(Enumerable.Empty<string>());
+                            .SetScopes(Enumerable.Empty<string>())
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -823,7 +835,8 @@ namespace OpenIddict.Server.FunctionalTests
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
                             .SetPresenters("Fabrikam")
-                            .SetScopes("profile", "email");
+                            .SetScopes("profile", "email")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -862,7 +875,8 @@ namespace OpenIddict.Server.FunctionalTests
                         Assert.Equal(TokenTypeHints.RefreshToken, context.TokenType);
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
-                            .SetScopes(Enumerable.Empty<string>());
+                            .SetScopes(Enumerable.Empty<string>())
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -900,7 +914,8 @@ namespace OpenIddict.Server.FunctionalTests
                         Assert.Equal(TokenTypeHints.RefreshToken, context.TokenType);
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
-                            .SetScopes("profile", "email");
+                            .SetScopes("profile", "email")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -1640,7 +1655,8 @@ namespace OpenIddict.Server.FunctionalTests
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
                             .SetPresenters("Fabrikam")
-                            .SetInternalTokenId("3E228451-1555-46F7-A471-951EFBA23A56");
+                            .SetInternalTokenId("3E228451-1555-46F7-A471-951EFBA23A56")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -1691,7 +1707,8 @@ namespace OpenIddict.Server.FunctionalTests
                         Assert.Equal(TokenTypeHints.RefreshToken, context.TokenType);
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
-                            .SetInternalTokenId("60FFF7EA-F98E-437B-937E-5073CC313103");
+                            .SetInternalTokenId("60FFF7EA-F98E-437B-937E-5073CC313103")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -1735,7 +1752,8 @@ namespace OpenIddict.Server.FunctionalTests
                         Assert.Equal(TokenTypeHints.AuthorizationCode, context.TokenType);
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
-                            .SetInternalTokenId("3E228451-1555-46F7-A471-951EFBA23A56");
+                            .SetInternalTokenId("3E228451-1555-46F7-A471-951EFBA23A56")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -1794,7 +1812,8 @@ namespace OpenIddict.Server.FunctionalTests
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
                             .SetPresenters("Fabrikam")
-                            .SetInternalTokenId("60FFF7EA-F98E-437B-937E-5073CC313103");
+                            .SetInternalTokenId("60FFF7EA-F98E-437B-937E-5073CC313103")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -1848,7 +1867,8 @@ namespace OpenIddict.Server.FunctionalTests
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
                             .SetPresenters("Fabrikam")
-                            .SetInternalTokenId("3E228451-1555-46F7-A471-951EFBA23A56");
+                            .SetInternalTokenId("3E228451-1555-46F7-A471-951EFBA23A56")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -1915,7 +1935,8 @@ namespace OpenIddict.Server.FunctionalTests
                         Assert.Equal(TokenTypeHints.RefreshToken, context.TokenType);
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
-                            .SetInternalTokenId("60FFF7EA-F98E-437B-937E-5073CC313103");
+                            .SetInternalTokenId("60FFF7EA-F98E-437B-937E-5073CC313103")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -1965,7 +1986,8 @@ namespace OpenIddict.Server.FunctionalTests
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
                             .SetPresenters("Fabrikam")
                             .SetInternalTokenId("3E228451-1555-46F7-A471-951EFBA23A56")
-                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0");
+                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -2047,7 +2069,8 @@ namespace OpenIddict.Server.FunctionalTests
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
                             .SetInternalTokenId("60FFF7EA-F98E-437B-937E-5073CC313103")
-                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0");
+                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -2138,7 +2161,8 @@ namespace OpenIddict.Server.FunctionalTests
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
                             .SetPresenters("Fabrikam")
                             .SetInternalTokenId("3E228451-1555-46F7-A471-951EFBA23A56")
-                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0");
+                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -2225,7 +2249,8 @@ namespace OpenIddict.Server.FunctionalTests
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
                             .SetPresenters("Fabrikam")
                             .SetInternalTokenId("60FFF7EA-F98E-437B-937E-5073CC313103")
-                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0");
+                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -2287,7 +2312,8 @@ namespace OpenIddict.Server.FunctionalTests
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
                             .SetPresenters("Fabrikam")
                             .SetInternalTokenId("3E228451-1555-46F7-A471-951EFBA23A56")
-                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0");
+                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -2360,7 +2386,8 @@ namespace OpenIddict.Server.FunctionalTests
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
                             .SetPresenters("Fabrikam")
                             .SetInternalTokenId("60FFF7EA-F98E-437B-937E-5073CC313103")
-                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0");
+                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -2408,7 +2435,8 @@ namespace OpenIddict.Server.FunctionalTests
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
                             .SetPresenters("Fabrikam")
                             .SetInternalTokenId("3E228451-1555-46F7-A471-951EFBA23A56")
-                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0");
+                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -2492,7 +2520,8 @@ namespace OpenIddict.Server.FunctionalTests
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
                             .SetInternalTokenId("60FFF7EA-F98E-437B-937E-5073CC313103")
-                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0");
+                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -2560,7 +2589,8 @@ namespace OpenIddict.Server.FunctionalTests
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
                             .SetPresenters("Fabrikam")
                             .SetInternalTokenId("3E228451-1555-46F7-A471-951EFBA23A56")
-                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0");
+                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -2645,7 +2675,8 @@ namespace OpenIddict.Server.FunctionalTests
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
                             .SetPresenters("Fabrikam")
                             .SetInternalTokenId("3E228451-1555-46F7-A471-951EFBA23A56")
-                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0");
+                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -2725,7 +2756,8 @@ namespace OpenIddict.Server.FunctionalTests
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
                             .SetInternalTokenId("60FFF7EA-F98E-437B-937E-5073CC313103")
-                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0");
+                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -2796,7 +2828,8 @@ namespace OpenIddict.Server.FunctionalTests
 
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
                             .SetInternalTokenId("60FFF7EA-F98E-437B-937E-5073CC313103")
-                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0");
+                            .SetInternalAuthorizationId("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         return default;
                     });
@@ -2878,9 +2911,9 @@ namespace OpenIddict.Server.FunctionalTests
                     builder.UseInlineHandler(context =>
                     {
                         context.Principal = new ClaimsPrincipal(new ClaimsIdentity("Bearer"))
-                            .SetClaim(Claims.Subject, "Bob le Bricoleur")
                             .SetPresenters("Fabrikam")
-                            .SetInternalTokenId("0270F515-C5B1-4FBF-B673-D7CAF7CCDABC");
+                            .SetInternalTokenId("0270F515-C5B1-4FBF-B673-D7CAF7CCDABC")
+                            .SetClaim(Claims.Subject, "Bob le Bricoleur");
 
                         if (context.Request.IsAuthorizationCodeGrantType())
                         {