From b84754f5a0b8a7dbd72be133aec5a6671399f787 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Tue, 10 Jan 2017 02:57:00 +0100
Subject: [PATCH] Use the ExtractUserinfoRequest event to bypass the default
 token validation enforced by the OpenID Connect server middleware

---
 src/OpenIddict/OpenIddictProvider.Userinfo.cs |  8 ++++-
 .../OpenIddictProviderTests.Userinfo.cs       | 32 +++----------------
 .../OpenIddictProviderTests.cs                |  5 +--
 3 files changed, 14 insertions(+), 31 deletions(-)

diff --git a/src/OpenIddict/OpenIddictProvider.Userinfo.cs b/src/OpenIddict/OpenIddictProvider.Userinfo.cs
index 2e764992..2f9d7369 100644
--- a/src/OpenIddict/OpenIddictProvider.Userinfo.cs
+++ b/src/OpenIddict/OpenIddictProvider.Userinfo.cs
@@ -11,7 +11,13 @@ using JetBrains.Annotations;
 namespace OpenIddict {
     public partial class OpenIddictProvider<TApplication, TAuthorization, TScope, TToken> : OpenIdConnectServerProvider
         where TApplication : class where TAuthorization : class where TScope : class where TToken : class {
-        public override Task HandleUserinfoRequest([NotNull] HandleUserinfoRequestContext context) {
+        public override Task ExtractUserinfoRequest([NotNull] ExtractUserinfoRequestContext context) {
+            // Note: when enabling the userinfo endpoint, OpenIddict users are intended
+            // to handle the userinfo requests in their own code (e.g in a MVC controller).
+            // To avoid validating the access token twice, the default logic enforced by
+            // the OpenID Connect server is bypassed using the ExtractUserinfoRequest event,
+            // which is invoked before the access token is extracted from the userinfo request.
+
             // Invoke the rest of the pipeline to allow
             // the user code to handle the userinfo request.
             context.SkipToNextMiddleware();
diff --git a/test/OpenIddict.Tests/OpenIddictProviderTests.Userinfo.cs b/test/OpenIddict.Tests/OpenIddictProviderTests.Userinfo.cs
index e6e35d56..2786c848 100644
--- a/test/OpenIddict.Tests/OpenIddictProviderTests.Userinfo.cs
+++ b/test/OpenIddict.Tests/OpenIddictProviderTests.Userinfo.cs
@@ -1,37 +1,14 @@
-using System.Security.Claims;
-using System.Threading.Tasks;
+using System.Threading.Tasks;
 using AspNet.Security.OpenIdConnect.Client;
-using AspNet.Security.OpenIdConnect.Extensions;
 using AspNet.Security.OpenIdConnect.Primitives;
-using AspNet.Security.OpenIdConnect.Server;
-using Microsoft.AspNetCore.Authentication;
-using Microsoft.AspNetCore.Builder;
-using Microsoft.AspNetCore.Http.Authentication;
-using Moq;
 using Xunit;
 
 namespace OpenIddict.Tests {
     public partial class OpenIddictProviderTests {
         [Fact]
-        public async Task HandleUserinfoRequest_RequestIsHandledByUserCode() {
+        public async Task ExtractUserinfoRequest_RequestIsHandledByUserCode() {
             // Arrange
-            var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
-            identity.AddClaim(ClaimTypes.NameIdentifier, "Bob le Bricoleur");
-
-            var ticket = new AuthenticationTicket(
-                new ClaimsPrincipal(identity),
-                new AuthenticationProperties(),
-                OpenIdConnectServerDefaults.AuthenticationScheme);
-
-            var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
-
-            format.Setup(mock => mock.Unprotect("SlAV32hkKG"))
-                .Returns(ticket);
-
-            var server = CreateAuthorizationServer(builder => {
-                builder.Configure(options => options.AccessTokenFormat = format.Object);
-            });
-
+            var server = CreateAuthorizationServer();
             var client = new OpenIdConnectClient(server.CreateClient());
 
             // Act
@@ -40,9 +17,8 @@ namespace OpenIddict.Tests {
             });
 
             // Assert
+            Assert.Equal("SlAV32hkKG", (string) response[OpenIdConnectConstants.Parameters.AccessToken]);
             Assert.Equal("Bob le Bricoleur", (string) response[OpenIdConnectConstants.Claims.Subject]);
-
-            format.Verify(mock => mock.Unprotect("SlAV32hkKG"), Times.Once());
         }
     }
 }
diff --git a/test/OpenIddict.Tests/OpenIddictProviderTests.cs b/test/OpenIddict.Tests/OpenIddictProviderTests.cs
index 1a2ffebd..5dfb2e7f 100644
--- a/test/OpenIddict.Tests/OpenIddictProviderTests.cs
+++ b/test/OpenIddict.Tests/OpenIddictProviderTests.cs
@@ -120,9 +120,9 @@ namespace OpenIddict.Tests {
                 app.UseOpenIddict();
 
                 app.Run(context => {
-                    if (context.Request.Path == AuthorizationEndpoint || context.Request.Path == TokenEndpoint) {
-                        var request = context.GetOpenIdConnectRequest();
+                    var request = context.GetOpenIdConnectRequest();
 
+                    if (context.Request.Path == AuthorizationEndpoint || context.Request.Path == TokenEndpoint) {
                         var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
                         identity.AddClaim(ClaimTypes.NameIdentifier, "Bob le Magnifique");
 
@@ -144,6 +144,7 @@ namespace OpenIddict.Tests {
                         context.Response.Headers[HeaderNames.ContentType] = "application/json";
 
                         return context.Response.WriteAsync(JsonConvert.SerializeObject(new {
+                            access_token = request.AccessToken,
                             sub = "Bob le Bricoleur"
                         }));
                     }