Activities of "maliming"

hi

AddDevelopmentEncryptionAndSigningCertificate cannot be used in applications deployed on IIS or Azure App Service: trying to use them on IIS or Azure App Service will result in an exception being thrown at runtime (unless the application pool is configured to load a user profile). To avoid that, consider creating self-signed certificates and storing them in the X.509 certificates store of the host machine(s). Please refer to: https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html#registering-a-development-certificate

public override void PreConfigureServices(ServiceConfigurationContext context)
{
    PreConfigure<OpenIddictServerBuilder>(builder =>
    {
        builder.AddEventHandler(MyPrepareAccessTokenPrincipal.Descriptor);
    });
}

using System.Security.Claims;
using OpenIddict.Abstractions;
using OpenIddict.Server;
using Volo.Abp.DependencyInjection;
using Volo.Abp.Security.Claims;

namespace MyPrepareAccessTokenPrincipal;

public class CoMedClaimsPrincipalContributor : IAbpClaimsPrincipalContributor, ITransientDependency
{
    public async Task ContributeAsync(AbpClaimsPrincipalContributorContext context)
    {
        var identity = context.ClaimsPrincipal.Identities.FirstOrDefault();
        identity?.AddClaim(new Claim("SocialSecurityNumber", "Old SocialSecurityNumber"));
        await Task.CompletedTask;
    }
}


public class MyPrepareAccessTokenPrincipal : IOpenIddictServerHandler<OpenIddictServerEvents.ProcessSignInContext>
{
    public static OpenIddictServerHandlerDescriptor Descriptor { get; }
            = OpenIddictServerHandlerDescriptor.CreateBuilder<OpenIddictServerEvents.ProcessSignInContext>()
                .AddFilter<OpenIddictServerHandlerFilters.RequireAccessTokenGenerated>()
                .UseSingletonHandler<MyPrepareAccessTokenPrincipal>()
                .SetOrder(OpenIddictServerHandlers.PrepareAccessTokenPrincipal.Descriptor.Order + 1)
                .SetType(OpenIddictServerHandlerType.Custom)
                .Build();

    public ValueTask HandleAsync(OpenIddictServerEvents.ProcessSignInContext context)
    {
        var identity = context.AccessTokenPrincipal?.Identities.FirstOrDefault();
        identity?.RemoveClaims("SocialSecurityNumber");
        identity?.AddClaim(new Claim("SocialSecurityNumber", DateTime.Now.ToString("s")));
        return default;
    }
}

hi mgurer

I confirmed that CoMedClaimsPrincipalContributor will not be called, Dynamic cliams may not be added or replaced. I will provide a solution as soon as possible,

hi

Here is my test code.

hi

https://docs.abp.io/en/commercial/latest/modules/identity/ldap

ok

I will give it a try.

Thanks, I will try to reproduce the issue.

I insist that IAbpClaimsPrincipalContributor is nothing to do with refresh_token flow

You will get access_token and refresh_token first. Then use refresh_token to get them again.

The IAbpClaimsPrincipalContributor will be called when generating the access_token, and refresh_token will copy claims from access_token's principal.

Talk is cheap. You can prepare a simple demo project to reproduce your real problem.
support@abp.io

hi

refresh_token basically uses the claims from the access_token. So it shouldn't be a problem.

I called the token endpoint using refresh_token flow.

Can you share your access_token and HTTP request info?