From 8f2ee984d25dca634b49548c685f779e10e28547 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Mon, 20 Feb 2023 18:15:20 +0100
Subject: [PATCH] Update the ADFS provider to support configuring the requested
 resources

---
 .../OpenIddictClientSystemIntegrationHandlers.cs         | 2 +-
 .../OpenIddictClientWebIntegrationHandlers.cs            | 9 +++++++++
 .../OpenIddictClientWebIntegrationProviders.xml          | 4 ++++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/OpenIddict.Client.SystemIntegration/OpenIddictClientSystemIntegrationHandlers.cs b/src/OpenIddict.Client.SystemIntegration/OpenIddictClientSystemIntegrationHandlers.cs
index c7ce6f8e..ccf4d1a3 100644
--- a/src/OpenIddict.Client.SystemIntegration/OpenIddictClientSystemIntegrationHandlers.cs
+++ b/src/OpenIddict.Client.SystemIntegration/OpenIddictClientSystemIntegrationHandlers.cs
@@ -1321,7 +1321,7 @@ public static partial class OpenIddictClientSystemIntegrationHandlers
             = OpenIddictClientHandlerDescriptor.CreateBuilder<ProcessAuthenticationContext>()
                 .AddFilter<RequireAuthenticationNonce>()
                 .UseSingletonHandler<RestoreUserinfoDetailsFromMarshalledAuthentication>()
-                .SetOrder(SendUserinfoRequest.Descriptor.Order + 500)
+                .SetOrder(ValidateUserinfoTokenSubject.Descriptor.Order + 500)
                 .SetType(OpenIddictClientHandlerType.BuiltIn)
                 .Build();
 
diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
index 7b47c129..dd830fd0 100644
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
@@ -673,6 +673,15 @@ public static partial class OpenIddictClientWebIntegrationHandlers
                 throw new ArgumentNullException(nameof(context));
             }
 
+            // Active Directory Federation Services allows sending a custom "resource"
+            // parameter to define what API resources the access token will give access to.
+            if (context.Registration.ProviderName is Providers.ActiveDirectoryFederationServices)
+            {
+                var options = context.Registration.GetActiveDirectoryFederationServicesOptions();
+
+                context.Request["resource"] = options.Resource;
+            }
+
             // By default, Google doesn't return a refresh token but allows sending an "access_type"
             // parameter to retrieve one (but it is only returned during the first authorization dance).
             if (context.Registration.ProviderName is Providers.Google)
diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
index 9fc27b13..2ddab692 100644
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
@@ -24,6 +24,9 @@
 
     <Setting PropertyName="Issuer" ParameterName="issuer" Type="Uri" Required="true"
              Description="The URI used to access the ADFS instance, including the virtual directory (e.g https://contoso.com/adfs)" />
+
+    <Setting PropertyName="Resource" ParameterName="resource" Type="String" Required="false"
+             Description="The optional value used as the 'resource' parameter (e.g urn:microsoft:userinfo)" />
   </Provider>
 
   <!--
@@ -350,6 +353,7 @@
         it seems that new applications are only allowed to use "read_write". As such,
         "read_write" is automatically added if no scope is explicitly configured.
       -->
+
       <Scope Name="read_write" Default="true" Required="false" />
     </Environment>