From f9f9c599e903fea0ef4400a194b397d5c269b3af Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Fri, 18 Sep 2020 16:45:03 +0200
Subject: [PATCH] Use the new SecurityTokenDescriptor.TokenType property

---
 Directory.Packages.props                      |   4 +-
 ...ServerAspNetCoreHandlers.Authentication.cs |  15 +--
 ...nIddictServerAspNetCoreHandlers.Session.cs |  15 +--
 ...IddictServerOwinHandlers.Authentication.cs |  15 +--
 .../OpenIddictServerOwinHandlers.Session.cs   |  15 +--
 .../OpenIddictServerHandlers.cs               | 100 +++++-------------
 6 files changed, 39 insertions(+), 125 deletions(-)

diff --git a/Directory.Packages.props b/Directory.Packages.props
index 968d4985..98fc604b 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -6,8 +6,8 @@
     <PackageVersion Include="MartinCostello.Logging.XUnit" Version="0.1.0" />
     <PackageVersion Include="Microsoft.Bcl.HashCode" Version="1.1.0" />
     <PackageVersion Include="Microsoft.CodeAnalysis.FxCopAnalyzers" Version="3.0.0" />
-    <PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="6.7.1" />
-    <PackageVersion Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.7.1" />
+    <PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="6.8.0" />
+    <PackageVersion Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.8.0" />
     <PackageVersion Include="Microsoft.NETFramework.ReferenceAssemblies" Version="1.0.0" />
     <PackageVersion Include="Microsoft.Owin.Security" Version="4.1.1" />
     <PackageVersion Include="Microsoft.Owin.Testing" Version="4.1.1" />
diff --git a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Authentication.cs b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Authentication.cs
index e2ce61bd..a40ce7be 100644
--- a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Authentication.cs
+++ b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Authentication.cs
@@ -229,26 +229,17 @@ namespace OpenIddict.Server.AspNetCore
                     // Store the serialized authorization request parameters in the distributed cache.
                     var token = context.Options.JsonWebTokenHandler.CreateToken(new SecurityTokenDescriptor
                     {
-                        AdditionalHeaderClaims = new Dictionary<string, object>(StringComparer.Ordinal)
-                        {
-                            [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.AuthorizationRequest
-                        },
                         Audience = context.Issuer?.AbsoluteUri,
                         Claims = context.Request.GetParameters().ToDictionary(
                             parameter => parameter.Key,
                             parameter => parameter.Value.Value),
+                        EncryptingCredentials = context.Options.EncryptionCredentials.First(),
                         Issuer = context.Issuer?.AbsoluteUri,
                         SigningCredentials = context.Options.SigningCredentials.First(),
-                        Subject = new ClaimsIdentity()
+                        Subject = new ClaimsIdentity(),
+                        TokenType = JsonWebTokenTypes.Private.AuthorizationRequest
                     });
 
-                    token = context.Options.JsonWebTokenHandler.EncryptToken(token,
-                        encryptingCredentials: context.Options.EncryptionCredentials.First(),
-                        additionalHeaderClaims: new Dictionary<string, object>
-                        {
-                            [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.AuthorizationRequest
-                        });
-
                     // Note: the cache key is always prefixed with a specific marker
                     // to avoid collisions with the other types of cached payloads.
                     await _cache.SetStringAsync(Cache.AuthorizationRequest + context.Request.RequestId,
diff --git a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Session.cs b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Session.cs
index 832852f6..973d5425 100644
--- a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Session.cs
+++ b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Session.cs
@@ -227,26 +227,17 @@ namespace OpenIddict.Server.AspNetCore
                     // Store the serialized logout request parameters in the distributed cache.
                     var token = context.Options.JsonWebTokenHandler.CreateToken(new SecurityTokenDescriptor
                     {
-                        AdditionalHeaderClaims = new Dictionary<string, object>(StringComparer.Ordinal)
-                        {
-                            [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.LogoutRequest
-                        },
                         Audience = context.Issuer?.AbsoluteUri,
                         Claims = context.Request.GetParameters().ToDictionary(
                             parameter => parameter.Key,
                             parameter => parameter.Value.Value),
+                        EncryptingCredentials = context.Options.EncryptionCredentials.First(),
                         Issuer = context.Issuer?.AbsoluteUri,
                         SigningCredentials = context.Options.SigningCredentials.First(),
-                        Subject = new ClaimsIdentity()
+                        Subject = new ClaimsIdentity(),
+                        TokenType = JsonWebTokenTypes.Private.LogoutRequest
                     });
 
-                    token = context.Options.JsonWebTokenHandler.EncryptToken(token,
-                        encryptingCredentials: context.Options.EncryptionCredentials.First(),
-                        additionalHeaderClaims: new Dictionary<string, object>
-                        {
-                            [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.LogoutRequest
-                        });
-
                     // Note: the cache key is always prefixed with a specific marker
                     // to avoid collisions with the other types of cached payloads.
                     await _cache.SetStringAsync(Cache.LogoutRequest + context.Request.RequestId,
diff --git a/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Authentication.cs b/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Authentication.cs
index f1d8145f..5995eef8 100644
--- a/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Authentication.cs
+++ b/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Authentication.cs
@@ -223,26 +223,17 @@ namespace OpenIddict.Server.Owin
                     // Store the serialized authorization request parameters in the distributed cache.
                     var token = context.Options.JsonWebTokenHandler.CreateToken(new SecurityTokenDescriptor
                     {
-                        AdditionalHeaderClaims = new Dictionary<string, object>(StringComparer.Ordinal)
-                        {
-                            [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.AuthorizationRequest
-                        },
                         Audience = context.Issuer?.AbsoluteUri,
                         Claims = context.Request.GetParameters().ToDictionary(
                             parameter => parameter.Key,
                             parameter => parameter.Value.Value),
+                        EncryptingCredentials = context.Options.EncryptionCredentials.First(),
                         Issuer = context.Issuer?.AbsoluteUri,
                         SigningCredentials = context.Options.SigningCredentials.First(),
-                        Subject = new ClaimsIdentity()
+                        Subject = new ClaimsIdentity(),
+                        TokenType = JsonWebTokenTypes.Private.AuthorizationRequest
                     });
 
-                    token = context.Options.JsonWebTokenHandler.EncryptToken(token,
-                        encryptingCredentials: context.Options.EncryptionCredentials.First(),
-                        additionalHeaderClaims: new Dictionary<string, object>
-                        {
-                            [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.AuthorizationRequest
-                        });
-
                     // Note: the cache key is always prefixed with a specific marker
                     // to avoid collisions with the other types of cached payloads.
                     await _cache.SetStringAsync(Cache.AuthorizationRequest + context.Request.RequestId,
diff --git a/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Session.cs b/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Session.cs
index daed01e9..eebfb781 100644
--- a/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Session.cs
+++ b/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Session.cs
@@ -221,26 +221,17 @@ namespace OpenIddict.Server.Owin
                     // Store the serialized logout request parameters in the distributed cache.
                     var token = context.Options.JsonWebTokenHandler.CreateToken(new SecurityTokenDescriptor
                     {
-                        AdditionalHeaderClaims = new Dictionary<string, object>(StringComparer.Ordinal)
-                        {
-                            [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.LogoutRequest
-                        },
                         Audience = context.Issuer?.AbsoluteUri,
                         Claims = context.Request.GetParameters().ToDictionary(
                             parameter => parameter.Key,
                             parameter => parameter.Value.Value),
+                        EncryptingCredentials = context.Options.EncryptionCredentials.First(),
                         Issuer = context.Issuer?.AbsoluteUri,
                         SigningCredentials = context.Options.SigningCredentials.First(),
-                        Subject = new ClaimsIdentity()
+                        Subject = new ClaimsIdentity(),
+                        TokenType = JsonWebTokenTypes.Private.LogoutRequest
                     });
 
-                    token = context.Options.JsonWebTokenHandler.EncryptToken(token,
-                        encryptingCredentials: context.Options.EncryptionCredentials.First(),
-                        additionalHeaderClaims: new Dictionary<string, object>
-                        {
-                            [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.LogoutRequest
-                        });
-
                     // Note: the cache key is always prefixed with a specific marker
                     // to avoid collisions with the other types of cached payloads.
                     await _cache.SetStringAsync(Cache.LogoutRequest + context.Request.RequestId,
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.cs
index 27efd548..f70c6fed 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.cs
@@ -2725,28 +2725,19 @@ namespace OpenIddict.Server
 
                 var descriptor = new SecurityTokenDescriptor
                 {
-                    AdditionalHeaderClaims = new Dictionary<string, object>(StringComparer.Ordinal)
-                    {
-                        [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.AccessToken
-                    },
                     Claims = claims,
+                    // Note: unlike other tokens, encryption can be disabled for access tokens.
+                    EncryptingCredentials = !context.Options.DisableAccessTokenEncryption ?
+                        context.Options.EncryptionCredentials.First() : null,
                     Expires = context.AccessTokenPrincipal.GetExpirationDate()?.UtcDateTime,
                     IssuedAt = context.AccessTokenPrincipal.GetCreationDate()?.UtcDateTime,
                     Issuer = context.Issuer?.AbsoluteUri,
                     SigningCredentials = context.Options.SigningCredentials.First(),
-                    Subject = (ClaimsIdentity) principal.Identity
+                    Subject = (ClaimsIdentity) principal.Identity,
+                    TokenType = JsonWebTokenTypes.AccessToken
                 };
 
-                var token = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
-
-                if (!context.Options.DisableAccessTokenEncryption)
-                {
-                    token = context.Options.JsonWebTokenHandler.EncryptToken(token,
-                        encryptingCredentials: context.Options.EncryptionCredentials.First(),
-                        additionalHeaderClaims: descriptor.AdditionalHeaderClaims);
-                }
-
-                context.AccessToken = token;
+                context.AccessToken = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
 
                 context.Logger.LogTrace(SR.GetResourceString(SR.ID6013), principal.GetClaim(Claims.JwtId),
                                         context.AccessToken, principal.Claims);
@@ -2974,15 +2965,13 @@ namespace OpenIddict.Server
 
                 var descriptor = new SecurityTokenDescriptor
                 {
-                    AdditionalHeaderClaims = new Dictionary<string, object>(StringComparer.Ordinal)
-                    {
-                        [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.AuthorizationCode
-                    },
+                    EncryptingCredentials = context.Options.EncryptionCredentials.First(),
                     Expires = context.AuthorizationCodePrincipal.GetExpirationDate()?.UtcDateTime,
                     IssuedAt = context.AuthorizationCodePrincipal.GetCreationDate()?.UtcDateTime,
                     Issuer = context.Issuer?.AbsoluteUri,
                     SigningCredentials = context.Options.SigningCredentials.First(),
-                    Subject = (ClaimsIdentity) principal.Identity
+                    Subject = (ClaimsIdentity) principal.Identity,
+                    TokenType = JsonWebTokenTypes.Private.AuthorizationCode
                 };
 
                 // Attach claims destinations to the JWT claims collection.
@@ -2995,14 +2984,7 @@ namespace OpenIddict.Server
                     };
                 }
 
-                // Sign and encrypt the authorization code.
-                var token = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
-
-                token = context.Options.JsonWebTokenHandler.EncryptToken(token,
-                    encryptingCredentials: context.Options.EncryptionCredentials.First(),
-                    additionalHeaderClaims: descriptor.AdditionalHeaderClaims);
-
-                context.AuthorizationCode = token;
+                context.AuthorizationCode = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
 
                 context.Logger.LogTrace(SR.GetResourceString(SR.ID6016), principal.GetClaim(Claims.JwtId),
                                         context.AuthorizationCode, principal.Claims);
@@ -3234,15 +3216,13 @@ namespace OpenIddict.Server
 
                 var descriptor = new SecurityTokenDescriptor
                 {
-                    AdditionalHeaderClaims = new Dictionary<string, object>(StringComparer.Ordinal)
-                    {
-                        [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.DeviceCode
-                    },
+                    EncryptingCredentials = context.Options.EncryptionCredentials.First(),
                     Expires = context.DeviceCodePrincipal.GetExpirationDate()?.UtcDateTime,
                     IssuedAt = context.DeviceCodePrincipal.GetCreationDate()?.UtcDateTime,
                     Issuer = context.Issuer?.AbsoluteUri,
                     SigningCredentials = context.Options.SigningCredentials.First(),
-                    Subject = (ClaimsIdentity) principal.Identity
+                    Subject = (ClaimsIdentity) principal.Identity,
+                    TokenType = JsonWebTokenTypes.Private.DeviceCode
                 };
 
                 // Attach claims destinations to the JWT claims collection.
@@ -3255,14 +3235,7 @@ namespace OpenIddict.Server
                     };
                 }
 
-                // Sign and encrypt the device code.
-                var token = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
-
-                token = context.Options.JsonWebTokenHandler.EncryptToken(token,
-                    encryptingCredentials: context.Options.EncryptionCredentials.First(),
-                    additionalHeaderClaims: descriptor.AdditionalHeaderClaims);
-
-                context.DeviceCode = token;
+                context.DeviceCode = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
 
                 context.Logger.LogTrace(SR.GetResourceString(SR.ID6019), principal.GetClaim(Claims.JwtId),
                                         context.DeviceCode, principal.Claims);
@@ -3578,15 +3551,13 @@ namespace OpenIddict.Server
 
                 var descriptor = new SecurityTokenDescriptor
                 {
-                    AdditionalHeaderClaims = new Dictionary<string, object>(StringComparer.Ordinal)
-                    {
-                        [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.RefreshToken
-                    },
+                    EncryptingCredentials = context.Options.EncryptionCredentials.First(),
                     Expires = context.RefreshTokenPrincipal.GetExpirationDate()?.UtcDateTime,
                     IssuedAt = context.RefreshTokenPrincipal.GetCreationDate()?.UtcDateTime,
                     Issuer = context.Issuer?.AbsoluteUri,
                     SigningCredentials = context.Options.SigningCredentials.First(),
-                    Subject = (ClaimsIdentity) principal.Identity
+                    Subject = (ClaimsIdentity) principal.Identity,
+                    TokenType = JsonWebTokenTypes.Private.RefreshToken
                 };
 
                 // Attach claims destinations to the JWT claims collection.
@@ -3599,13 +3570,7 @@ namespace OpenIddict.Server
                     };
                 }
 
-                // Sign and encrypt the refresh token.
-                var token = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
-                token = context.Options.JsonWebTokenHandler.EncryptToken(token,
-                    encryptingCredentials: context.Options.EncryptionCredentials.First(),
-                    additionalHeaderClaims: descriptor.AdditionalHeaderClaims);
-
-                context.RefreshToken = token;
+                context.RefreshToken = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
 
                 context.Logger.LogTrace(SR.GetResourceString(SR.ID6023), principal.GetClaim(Claims.JwtId),
                                         context.RefreshToken, principal.Claims);
@@ -3874,25 +3839,16 @@ namespace OpenIddict.Server
 
                 var descriptor = new SecurityTokenDescriptor
                 {
-                    AdditionalHeaderClaims = new Dictionary<string, object>(StringComparer.Ordinal)
-                    {
-                        [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.Private.UserCode
-                    },
+                    EncryptingCredentials = context.Options.EncryptionCredentials.First(),
                     Expires = context.UserCodePrincipal.GetExpirationDate()?.UtcDateTime,
                     IssuedAt = context.UserCodePrincipal.GetCreationDate()?.UtcDateTime,
                     Issuer = context.Issuer?.AbsoluteUri,
                     SigningCredentials = context.Options.SigningCredentials.First(),
-                    Subject = (ClaimsIdentity) principal.Identity
+                    Subject = (ClaimsIdentity) principal.Identity,
+                    TokenType = JsonWebTokenTypes.Private.UserCode
                 };
 
-                // Sign and encrypt the user code.
-                var token = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
-
-                token = context.Options.JsonWebTokenHandler.EncryptToken(token,
-                    encryptingCredentials: context.Options.EncryptionCredentials.First(),
-                    additionalHeaderClaims: descriptor.AdditionalHeaderClaims);
-
-                context.UserCode = token;
+                context.UserCode = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
 
                 context.Logger.LogTrace(SR.GetResourceString(SR.ID6026), principal.GetClaim(Claims.JwtId),
                                         context.UserCode, principal.Claims);
@@ -4295,10 +4251,6 @@ namespace OpenIddict.Server
 
                 var descriptor = new SecurityTokenDescriptor
                 {
-                    AdditionalHeaderClaims = new Dictionary<string, object>(StringComparer.Ordinal)
-                    {
-                        [JwtHeaderParameterNames.Typ] = JsonWebTokenTypes.IdentityToken
-                    },
                     Claims = claims,
                     Expires = context.IdentityTokenPrincipal.GetExpirationDate()?.UtcDateTime,
                     IssuedAt = context.IdentityTokenPrincipal.GetCreationDate()?.UtcDateTime,
@@ -4307,13 +4259,11 @@ namespace OpenIddict.Server
                     // as they are meant to be validated by clients using the public keys exposed by the server.
                     SigningCredentials = context.Options.SigningCredentials.First(credentials =>
                         credentials.Key is AsymmetricSecurityKey),
-                    Subject = (ClaimsIdentity) principal.Identity
+                    Subject = (ClaimsIdentity) principal.Identity,
+                    TokenType = JsonWebTokenTypes.IdentityToken
                 };
 
-                // Sign and attach the identity token.
-                var token = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
-
-                context.IdentityToken = token;
+                context.IdentityToken = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
 
                 context.Logger.LogTrace(SR.GetResourceString(SR.ID6029), principal.GetClaim(Claims.JwtId),
                                         context.IdentityToken, principal.Claims);