Support live update of refresh tokens

10 years ago · bf5b44981b
2 changed files with 22 additions and 3 deletions
--- a/src/OpenIddict.Core/OpenIddictProvider.Authentication.cs
+++ b/src/OpenIddict.Core/OpenIddictProvider.Authentication.cs
@ -13,6 +13,7 @@ using System.Threading.Tasks;
 using AspNet.Security.OpenIdConnect.Extensions;
 using AspNet.Security.OpenIdConnect.Server;
 using Microsoft.AspNet.Authentication;
+using Microsoft.AspNet.Http.Authentication;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Internal;

@ -160,7 +161,8 @@ namespace OpenIddict {
            // Create a new authentication ticket holding the user identity.
            var ticket = new AuthenticationTicket(
                new ClaimsPrincipal(identity),
-                null, context.Options.AuthenticationScheme);
+                new AuthenticationProperties(),
+                context.Options.AuthenticationScheme);

            ticket.SetResources(context.Request.GetResources());
            ticket.SetScopes(context.Request.GetScopes());
--- a/src/OpenIddict.Core/OpenIddictProvider.Exchange.cs
+++ b/src/OpenIddict.Core/OpenIddictProvider.Exchange.cs
@ -11,6 +11,7 @@ using System.Threading.Tasks;
 using AspNet.Security.OpenIdConnect.Extensions;
 using AspNet.Security.OpenIdConnect.Server;
 using Microsoft.AspNet.Authentication;
+using Microsoft.AspNet.Http.Authentication;
 using Microsoft.AspNet.Identity;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Internal;
@ -108,7 +109,8 @@ namespace OpenIddict {
            // holding the application identity.
            var ticket = new AuthenticationTicket(
                new ClaimsPrincipal(identity),
-                null, context.Options.AuthenticationScheme);
+                new AuthenticationProperties(),
+                context.Options.AuthenticationScheme);

            ticket.SetResources(context.Request.GetResources());
            ticket.SetScopes(context.Request.GetScopes());
@ -147,6 +149,20 @@ namespace OpenIddict {

                return;
            }
+
+            // Note: the "scopes" property stored in context.AuthenticationTicket is automatically
+            // updated by ASOS when the client application requests a restricted scopes collection.
+            var identity = await manager.CreateIdentityAsync(user, context.AuthenticationTicket.GetScopes());
+            Debug.Assert(identity != null);
+
+            // Create a new authentication ticket holding the user identity but
+            // reuse the authentication properties stored in the refresh token.
+            var ticket = new AuthenticationTicket(
+                new ClaimsPrincipal(identity),
+                context.AuthenticationTicket.Properties,
+                context.Options.AuthenticationScheme);
+
+            context.Validate(ticket);
        }

        public override async Task GrantResourceOwnerCredentials([NotNull] GrantResourceOwnerCredentialsContext context) {
@ -214,7 +230,8 @@ namespace OpenIddict {
            // Create a new authentication ticket holding the user identity.
            var ticket = new AuthenticationTicket(
                new ClaimsPrincipal(identity),
-                null, context.Options.AuthenticationScheme);
+                new AuthenticationProperties(),
+                context.Options.AuthenticationScheme);

            ticket.SetResources(context.Request.GetResources());
            ticket.SetScopes(context.Request.GetScopes());