From e41b0260bdd7b5efeb47cf1843231350650ea709 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Tue, 7 Mar 2017 02:59:36 +0100
Subject: [PATCH] Add a comment indicating how authorization codes/refresh
 tokens can be automatically invalidated when the security stamp is updated

---
 samples/Mvc.Server/Controllers/AuthorizationController.cs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/samples/Mvc.Server/Controllers/AuthorizationController.cs b/samples/Mvc.Server/Controllers/AuthorizationController.cs
index fb83eb65..9b05179e 100644
--- a/samples/Mvc.Server/Controllers/AuthorizationController.cs
+++ b/samples/Mvc.Server/Controllers/AuthorizationController.cs
@@ -231,6 +231,9 @@ namespace Mvc.Server
                     OpenIdConnectServerDefaults.AuthenticationScheme);
 
                 // Retrieve the user profile corresponding to the authorization code/refresh token.
+                // Note: if you want to automatically invalidate the authorization code/refresh token
+                // when the user password/roles change, use the following line instead:
+                // var user = _signInManager.ValidateSecurityStampAsync(info.Principal);
                 var user = await _userManager.GetUserAsync(info.Principal);
                 if (user == null)
                 {