From d39ebfe27d29a8976051e29f122daf74adf86fb3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Mon, 17 Jul 2017 20:35:38 +0200
Subject: [PATCH] Introduce OpenIddictBuilder.AddEncryptingKey()

---
 src/OpenIddict.Core/OpenIddictBuilder.cs      |  4 --
 src/OpenIddict/OpenIddictExtensions.cs        | 22 ++++++++++
 .../OpenIddictExtensionsTests.cs              | 43 ++++++++++++++-----
 3 files changed, 54 insertions(+), 15 deletions(-)

diff --git a/src/OpenIddict.Core/OpenIddictBuilder.cs b/src/OpenIddict.Core/OpenIddictBuilder.cs
index 47b549a9..a1af2bc2 100644
--- a/src/OpenIddict.Core/OpenIddictBuilder.cs
+++ b/src/OpenIddict.Core/OpenIddictBuilder.cs
@@ -10,10 +10,6 @@ using JetBrains.Annotations;
 using OpenIddict.Core;
 using OpenIddict.Models;
 
-#if NETSTANDARD1_3
-using System.Reflection;
-#endif
-
 namespace Microsoft.Extensions.DependencyInjection
 {
     /// <summary>
diff --git a/src/OpenIddict/OpenIddictExtensions.cs b/src/OpenIddict/OpenIddictExtensions.cs
index a4970cd0..9f8adb9d 100644
--- a/src/OpenIddict/OpenIddictExtensions.cs
+++ b/src/OpenIddict/OpenIddictExtensions.cs
@@ -132,6 +132,28 @@ namespace Microsoft.AspNetCore.Builder
             return builder.Configure(options => options.SigningCredentials.AddEphemeralKey(algorithm));
         }
 
+        /// <summary>
+        /// Registers a <see cref="SecurityKey"/> used to encrypt the JWT access tokens issued by OpenIddict.
+        /// </summary>
+        /// <param name="builder">The services builder used by OpenIddict to register new services.</param>
+        /// <param name="key">The security key.</param>
+        /// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
+        public static OpenIddictBuilder AddEncryptingKey(
+            [NotNull] this OpenIddictBuilder builder, [NotNull] SecurityKey key)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            if (key == null)
+            {
+                throw new ArgumentNullException(nameof(key));
+            }
+
+            return builder.Configure(options => options.EncryptingCredentials.AddKey(key));
+        }
+
         /// <summary>
         /// Registers a <see cref="X509Certificate2"/> that is used to sign the JWT tokens issued by OpenIddict.
         /// </summary>
diff --git a/test/OpenIddict.Tests/OpenIddictExtensionsTests.cs b/test/OpenIddict.Tests/OpenIddictExtensionsTests.cs
index 109b12df..9b7e4e1a 100644
--- a/test/OpenIddict.Tests/OpenIddictExtensionsTests.cs
+++ b/test/OpenIddict.Tests/OpenIddictExtensionsTests.cs
@@ -53,13 +53,13 @@ namespace OpenIddict.Tests
         }
 
         [Theory]
-        [InlineData(SecurityAlgorithms.RsaSha256Signature)]
-        [InlineData(SecurityAlgorithms.RsaSha384Signature)]
-        [InlineData(SecurityAlgorithms.RsaSha512Signature)]
+        [InlineData(SecurityAlgorithms.RsaSha256)]
+        [InlineData(SecurityAlgorithms.RsaSha384)]
+        [InlineData(SecurityAlgorithms.RsaSha512)]
 #if SUPPORTS_ECDSA
-        [InlineData(SecurityAlgorithms.EcdsaSha256Signature)]
-        [InlineData(SecurityAlgorithms.EcdsaSha384Signature)]
-        [InlineData(SecurityAlgorithms.EcdsaSha512Signature)]
+        [InlineData(SecurityAlgorithms.EcdsaSha256)]
+        [InlineData(SecurityAlgorithms.EcdsaSha384)]
+        [InlineData(SecurityAlgorithms.EcdsaSha512)]
 #endif
         public void AddEphemeralSigningKey_SigningCredentialsUseSpecifiedAlgorithm(string algorithm)
         {
@@ -77,13 +77,34 @@ namespace OpenIddict.Tests
             Assert.Equal(algorithm, credentials.Algorithm);
         }
 
+        [Fact]
+        public void AddEncryptingKey_EncryptingKeyIsCorrectlyAdded()
+        {
+            // Arrange
+            var services = CreateServices();
+            var builder = new OpenIddictBuilder(services);
+
+            var factory = Mock.Of<CryptoProviderFactory>(mock =>
+                mock.IsSupportedAlgorithm(SecurityAlgorithms.Aes256KW, It.IsAny<SecurityKey>()));
+
+            var key = Mock.Of<SecurityKey>(mock => mock.CryptoProviderFactory == factory);
+
+            // Act
+            builder.AddEncryptingKey(key);
+
+            var options = GetOptions(services);
+
+            // Assert
+            Assert.Same(key, options.EncryptingCredentials[0].Key);
+        }
+
         [Theory]
-        [InlineData(SecurityAlgorithms.HmacSha256Signature)]
-        [InlineData(SecurityAlgorithms.RsaSha256Signature)]
+        [InlineData(SecurityAlgorithms.HmacSha256)]
+        [InlineData(SecurityAlgorithms.RsaSha256)]
 #if SUPPORTS_ECDSA
-        [InlineData(SecurityAlgorithms.EcdsaSha256Signature)]
-        [InlineData(SecurityAlgorithms.EcdsaSha384Signature)]
-        [InlineData(SecurityAlgorithms.EcdsaSha512Signature)]
+        [InlineData(SecurityAlgorithms.EcdsaSha256)]
+        [InlineData(SecurityAlgorithms.EcdsaSha384)]
+        [InlineData(SecurityAlgorithms.EcdsaSha512)]
 #endif
         public void AddSigningKey_SigningKeyIsCorrectlyAdded(string algorithm)
         {