diff --git a/src/OpenIddict.Core/OpenIddictProvider.Authentication.cs b/src/OpenIddict.Core/OpenIddictProvider.Authentication.cs
index 79336d4d..334fe80c 100644
--- a/src/OpenIddict.Core/OpenIddictProvider.Authentication.cs
+++ b/src/OpenIddict.Core/OpenIddictProvider.Authentication.cs
@@ -13,6 +13,7 @@ using System.Threading.Tasks;
 using AspNet.Security.OpenIdConnect.Extensions;
 using AspNet.Security.OpenIdConnect.Server;
 using Microsoft.AspNet.Authentication;
+using Microsoft.AspNet.Http.Authentication;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Internal;
 
@@ -160,7 +161,8 @@ namespace OpenIddict {
             // Create a new authentication ticket holding the user identity.
             var ticket = new AuthenticationTicket(
                 new ClaimsPrincipal(identity),
-                null, context.Options.AuthenticationScheme);
+                new AuthenticationProperties(),
+                context.Options.AuthenticationScheme);
 
             ticket.SetResources(context.Request.GetResources());
             ticket.SetScopes(context.Request.GetScopes());
diff --git a/src/OpenIddict.Core/OpenIddictProvider.Exchange.cs b/src/OpenIddict.Core/OpenIddictProvider.Exchange.cs
index 16100cac..3288867b 100644
--- a/src/OpenIddict.Core/OpenIddictProvider.Exchange.cs
+++ b/src/OpenIddict.Core/OpenIddictProvider.Exchange.cs
@@ -11,6 +11,7 @@ using System.Threading.Tasks;
 using AspNet.Security.OpenIdConnect.Extensions;
 using AspNet.Security.OpenIdConnect.Server;
 using Microsoft.AspNet.Authentication;
+using Microsoft.AspNet.Http.Authentication;
 using Microsoft.AspNet.Identity;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Internal;
@@ -108,7 +109,8 @@ namespace OpenIddict {
             // holding the application identity.
             var ticket = new AuthenticationTicket(
                 new ClaimsPrincipal(identity),
-                null, context.Options.AuthenticationScheme);
+                new AuthenticationProperties(),
+                context.Options.AuthenticationScheme);
 
             ticket.SetResources(context.Request.GetResources());
             ticket.SetScopes(context.Request.GetScopes());
@@ -147,6 +149,20 @@ namespace OpenIddict {
 
                 return;
             }
+
+            // Note: the "scopes" property stored in context.AuthenticationTicket is automatically
+            // updated by ASOS when the client application requests a restricted scopes collection.
+            var identity = await manager.CreateIdentityAsync(user, context.AuthenticationTicket.GetScopes());
+            Debug.Assert(identity != null);
+
+            // Create a new authentication ticket holding the user identity but
+            // reuse the authentication properties stored in the refresh token.
+            var ticket = new AuthenticationTicket(
+                new ClaimsPrincipal(identity),
+                context.AuthenticationTicket.Properties,
+                context.Options.AuthenticationScheme);
+
+            context.Validate(ticket);
         }
 
         public override async Task GrantResourceOwnerCredentials([NotNull] GrantResourceOwnerCredentialsContext context) {
@@ -214,7 +230,8 @@ namespace OpenIddict {
             // Create a new authentication ticket holding the user identity.
             var ticket = new AuthenticationTicket(
                 new ClaimsPrincipal(identity),
-                null, context.Options.AuthenticationScheme);
+                new AuthenticationProperties(),
+                context.Options.AuthenticationScheme);
 
             ticket.SetResources(context.Request.GetResources());
             ticket.SetScopes(context.Request.GetScopes());