From e01bf880e534ab2c57201ceda9d2b0cc449bb7da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Sat, 4 Mar 2017 13:11:10 +0100
Subject: [PATCH] Update the Mvc.Server sample to show how the default
 encrypted token format can be replaced by JWT

---
 .../Controllers/AuthorizationController.cs    |  2 +
 samples/Mvc.Server/Startup.cs                 | 58 +++++++++++++------
 2 files changed, 43 insertions(+), 17 deletions(-)

diff --git a/samples/Mvc.Server/Controllers/AuthorizationController.cs b/samples/Mvc.Server/Controllers/AuthorizationController.cs
index e300969d..cdc31650 100644
--- a/samples/Mvc.Server/Controllers/AuthorizationController.cs
+++ b/samples/Mvc.Server/Controllers/AuthorizationController.cs
@@ -300,6 +300,8 @@ namespace Mvc.Server
                 }.Intersect(request.GetScopes()));
             }
 
+            ticket.SetResources("resource_server");
+
             return ticket;
         }
     }
diff --git a/samples/Mvc.Server/Startup.cs b/samples/Mvc.Server/Startup.cs
index 55d613e5..4b9d6c7f 100644
--- a/samples/Mvc.Server/Startup.cs
+++ b/samples/Mvc.Server/Startup.cs
@@ -53,41 +53,47 @@ namespace Mvc.Server
             });
 
             // Register the OpenIddict services.
-            services.AddOpenIddict()
+            services.AddOpenIddict(options =>
+            {
                 // Register the Entity Framework stores.
-                .AddEntityFrameworkCoreStores<ApplicationDbContext>()
+                options.AddEntityFrameworkCoreStores<ApplicationDbContext>();
 
                 // Register the ASP.NET Core MVC binder used by OpenIddict.
                 // Note: if you don't call this method, you won't be able to
                 // bind OpenIdConnectRequest or OpenIdConnectResponse parameters.
-                .AddMvcBinders()
+                options.AddMvcBinders();
 
                 // Enable the authorization, logout, token and userinfo endpoints.
-                .EnableAuthorizationEndpoint("/connect/authorize")
-                .EnableLogoutEndpoint("/connect/logout")
-                .EnableTokenEndpoint("/connect/token")
-                .EnableUserinfoEndpoint("/api/userinfo")
+                options.EnableAuthorizationEndpoint("/connect/authorize")
+                       .EnableLogoutEndpoint("/connect/logout")
+                       .EnableTokenEndpoint("/connect/token")
+                       .EnableUserinfoEndpoint("/api/userinfo");
 
                 // Note: the Mvc.Client sample only uses the code flow and the password flow, but you
                 // can enable the other flows if you need to support implicit or client credentials.
-                .AllowAuthorizationCodeFlow()
-                .AllowPasswordFlow()
-                .AllowRefreshTokenFlow()
+                options.AllowAuthorizationCodeFlow()
+                       .AllowPasswordFlow()
+                       .AllowRefreshTokenFlow();
 
                 // Make the "client_id" parameter mandatory when sending a token request.
-                .RequireClientIdentification()
-
-                // During development, you can disable the HTTPS requirement.
-                .DisableHttpsRequirement()
-
-                .SetAccessTokenLifetime(TimeSpan.FromSeconds(15))
+                options.RequireClientIdentification();
 
                 // When request caching is enabled, authorization and logout requests
                 // are stored in the distributed cache by OpenIddict and the user agent
                 // is redirected to the same page with a single parameter (request_id).
                 // This allows flowing large OpenID Connect requests even when using
                 // an external authentication provider like Google, Facebook or Twitter.
-                .EnableRequestCaching();
+                options.EnableRequestCaching();
+
+                // During development, you can disable the HTTPS requirement.
+                options.DisableHttpsRequirement();
+
+                // Note: to use JWT access tokens instead of the default
+                // encrypted format, the following lines are required:
+                //
+                // options.UseJsonWebTokens();
+                // options.AddEphemeralSigningKey();
+            });
 
             services.AddTransient<IEmailSender, AuthMessageSender>();
             services.AddTransient<ISmsSender, AuthMessageSender>();
@@ -105,6 +111,24 @@ namespace Mvc.Server
                 // tokens and protect the API endpoints.
                 branch.UseOAuthValidation();
 
+                // If you prefer using JWT, don't forget to disable the automatic
+                // JWT -> WS-Federation claims mapping used by the JWT middleware:
+                //
+                // JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
+                // JwtSecurityTokenHandler.DefaultOutboundClaimTypeMap.Clear();
+                //
+                // branch.UseJwtBearerAuthentication(new JwtBearerOptions
+                // {
+                //     Authority = "http://localhost:54540/",
+                //     Audience = "resource_server",
+                //     RequireHttpsMetadata = false,
+                //     TokenValidationParameters = new TokenValidationParameters
+                //     {
+                //         NameClaimType = OpenIdConnectConstants.Claims.Subject,
+                //         RoleClaimType = OpenIdConnectConstants.Claims.Role
+                //     }
+                // });
+
                 // Alternatively, you can also use the introspection middleware.
                 // Using it is recommended if your resource server is in a
                 // different application/separated from the authorization server.