Introduce OpenIddictBuilder.AddEncryptingKey()

src/OpenIddict.Core/OpenIddictBuilder.cs

@@ -10,10 +10,6 @@ using JetBrains.Annotations;
 using OpenIddict.Core;
 using OpenIddict.Models;
 
-#if NETSTANDARD1_3
-using System.Reflection;
-#endif
-
 namespace Microsoft.Extensions.DependencyInjection
 {
     /// <summary>

src/OpenIddict/OpenIddictExtensions.cs

@@ -132,6 +132,28 @@ namespace Microsoft.AspNetCore.Builder
             return builder.Configure(options => options.SigningCredentials.AddEphemeralKey(algorithm));
         }
 
+        /// <summary>
+        /// Registers a <see cref="SecurityKey"/> used to encrypt the JWT access tokens issued by OpenIddict.
+        /// </summary>
+        /// <param name="builder">The services builder used by OpenIddict to register new services.</param>
+        /// <param name="key">The security key.</param>
+        /// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
+        public static OpenIddictBuilder AddEncryptingKey(
+            [NotNull] this OpenIddictBuilder builder, [NotNull] SecurityKey key)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            if (key == null)
+            {
+                throw new ArgumentNullException(nameof(key));
+            }
+
+            return builder.Configure(options => options.EncryptingCredentials.AddKey(key));
+        }
+
         /// <summary>
         /// Registers a <see cref="X509Certificate2"/> that is used to sign the JWT tokens issued by OpenIddict.
         /// </summary>

test/OpenIddict.Tests/OpenIddictExtensionsTests.cs

@@ -53,13 +53,13 @@ namespace OpenIddict.Tests
         }
 
         [Theory]
-        [InlineData(SecurityAlgorithms.RsaSha256Signature)]
-        [InlineData(SecurityAlgorithms.RsaSha384Signature)]
-        [InlineData(SecurityAlgorithms.RsaSha512Signature)]
+        [InlineData(SecurityAlgorithms.RsaSha256)]
+        [InlineData(SecurityAlgorithms.RsaSha384)]
+        [InlineData(SecurityAlgorithms.RsaSha512)]
 #if SUPPORTS_ECDSA
-        [InlineData(SecurityAlgorithms.EcdsaSha256Signature)]
-        [InlineData(SecurityAlgorithms.EcdsaSha384Signature)]
-        [InlineData(SecurityAlgorithms.EcdsaSha512Signature)]
+        [InlineData(SecurityAlgorithms.EcdsaSha256)]
+        [InlineData(SecurityAlgorithms.EcdsaSha384)]
+        [InlineData(SecurityAlgorithms.EcdsaSha512)]
 #endif
         public void AddEphemeralSigningKey_SigningCredentialsUseSpecifiedAlgorithm(string algorithm)
         {
@@ -77,13 +77,34 @@ namespace OpenIddict.Tests
             Assert.Equal(algorithm, credentials.Algorithm);
         }
 
+        [Fact]
+        public void AddEncryptingKey_EncryptingKeyIsCorrectlyAdded()
+        {
+            // Arrange
+            var services = CreateServices();
+            var builder = new OpenIddictBuilder(services);
+
+            var factory = Mock.Of<CryptoProviderFactory>(mock =>
+                mock.IsSupportedAlgorithm(SecurityAlgorithms.Aes256KW, It.IsAny<SecurityKey>()));
+
+            var key = Mock.Of<SecurityKey>(mock => mock.CryptoProviderFactory == factory);
+
+            // Act
+            builder.AddEncryptingKey(key);
+
+            var options = GetOptions(services);
+
+            // Assert
+            Assert.Same(key, options.EncryptingCredentials[0].Key);
+        }
+
         [Theory]
-        [InlineData(SecurityAlgorithms.HmacSha256Signature)]
-        [InlineData(SecurityAlgorithms.RsaSha256Signature)]
+        [InlineData(SecurityAlgorithms.HmacSha256)]
+        [InlineData(SecurityAlgorithms.RsaSha256)]
 #if SUPPORTS_ECDSA
-        [InlineData(SecurityAlgorithms.EcdsaSha256Signature)]
-        [InlineData(SecurityAlgorithms.EcdsaSha384Signature)]
-        [InlineData(SecurityAlgorithms.EcdsaSha512Signature)]
+        [InlineData(SecurityAlgorithms.EcdsaSha256)]
+        [InlineData(SecurityAlgorithms.EcdsaSha384)]
+        [InlineData(SecurityAlgorithms.EcdsaSha512)]
 #endif
         public void AddSigningKey_SigningKeyIsCorrectlyAdded(string algorithm)
         {