Introduce a new DisableUserinfo option in RefreshTokenAuthenticationR…

…equest to allow refreshing tokens acquired during a client credentials flow
openiddict · Jan 15, 2024 · 7af133f · 7af133f
1 parent b1005da
commit 7af133f
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 6 deletions.
diff --git a/src/OpenIddict.Client/OpenIddictClientEvents.cs b/src/OpenIddict.Client/OpenIddictClientEvents.cs
@@ -859,6 +859,11 @@ public OpenIddictRequest Request
         /// </remarks>
         public bool DisableFrontchannelIdentityTokenNonceValidation { get; set; }
 
+        /// <summary>
+        /// Gets or sets a boolean indicating whether userinfo retrieval should be disabled.
+        /// </summary>
+        public bool DisableUserinfoRetrieval { get; set; }
+
         /// <summary>
         /// Gets or sets a boolean indicating whether userinfo validation should be disabled.
         /// </summary>

diff --git a/src/OpenIddict.Client/OpenIddictClientHandlers.cs b/src/OpenIddict.Client/OpenIddictClientHandlers.cs
@@ -2262,7 +2262,7 @@ GrantTypes.AuthorizationCode or GrantTypes.Implicit when
                 // For client credentials, device authorization, resource owner password
                 // credentials and refresh token requests, always send a token request.
                 GrantTypes.ClientCredentials or GrantTypes.DeviceCode or
-                GrantTypes.Password or GrantTypes.RefreshToken => true,
+                GrantTypes.Password          or GrantTypes.RefreshToken => true,
 
                 _ => false
             };
@@ -3557,8 +3557,8 @@ public ValueTask HandleAsync(ProcessAuthenticationContext context)
                 //
                 // Note: the userinfo endpoint is an optional endpoint and may not be supported.
                 GrantTypes.AuthorizationCode or GrantTypes.Implicit or
-                GrantTypes.DeviceCode or GrantTypes.Password or GrantTypes.RefreshToken
-                    when context.UserinfoEndpoint is not null &&
+                GrantTypes.DeviceCode        or GrantTypes.Password or GrantTypes.RefreshToken
+                    when !context.DisableUserinfoRetrieval && context.UserinfoEndpoint is not null &&
                     (!string.IsNullOrEmpty(context.BackchannelAccessToken) ||
                      !string.IsNullOrEmpty(context.FrontchannelAccessToken)) => true,
 
@@ -3721,7 +3721,7 @@ public ValueTask HandleAsync(ProcessAuthenticationContext context)
              context.RejectUserinfoToken) = context.GrantType switch
             {
                 GrantTypes.AuthorizationCode or GrantTypes.Implicit or
-                GrantTypes.DeviceCode or GrantTypes.Password or GrantTypes.RefreshToken
+                GrantTypes.DeviceCode        or GrantTypes.Password or GrantTypes.RefreshToken
                     when context.SendUserinfoRequest => (true, false, true, true),
 
                 _ => (false, false, false, false)

diff --git a/src/OpenIddict.Client/OpenIddictClientModels.cs b/src/OpenIddict.Client/OpenIddictClientModels.cs
@@ -283,8 +283,7 @@ public sealed record class ClientCredentialsAuthenticationResult
         /// </summary>
         /// <remarks>
         /// Note: in most cases, an empty principal will be returned, unless the authorization server
-        /// supports returning a non-standard identity token for the client credentials grant or
-        /// allows sending userinfo requests with an access token representing a client application.
+        /// supports returning a non-standard identity token for the client credentials grant.
         /// </remarks>
         public required ClaimsPrincipal Principal { get; init; }
 
@@ -342,6 +341,11 @@ public sealed record class DeviceAuthenticationRequest
         /// </summary>
         public required string DeviceCode { get; init; }
 
+        /// <summary>
+        /// Gets or sets a boolean indicating whether userinfo should be disabled.
+        /// </summary>
+        public bool DisableUserinfo { get; set; }
+
         /// <summary>
         /// Gets or sets the maximum duration during which token requests will be sent
         /// (typically, the same value as the "expires_in" parameter returned by the
@@ -561,6 +565,11 @@ public sealed record class PasswordAuthenticationRequest
         /// </summary>
         public CancellationToken CancellationToken { get; init; }
 
+        /// <summary>
+        /// Gets or sets a boolean indicating whether userinfo should be disabled.
+        /// </summary>
+        public bool DisableUserinfo { get; set; }
+
         /// <summary>
         /// Gets or sets the password that will be sent to the authorization server.
         /// </summary>
@@ -680,6 +689,12 @@ public sealed record class RefreshTokenAuthenticationRequest
         /// </summary>
         public CancellationToken CancellationToken { get; init; }
 
+        /// <summary>
+        /// Gets or sets a boolean indicating whether userinfo should be disabled, which may be required
+        /// when sending a refresh token that was acquired using a user-less flow (e.g client credentials).
+        /// </summary>
+        public bool DisableUserinfo { get; set; }
+
         /// <summary>
         /// Gets or sets the application-specific properties that will be added to the context.
         /// </summary>

diff --git a/src/OpenIddict.Client/OpenIddictClientService.cs b/src/OpenIddict.Client/OpenIddictClientService.cs
@@ -571,6 +571,8 @@ public async ValueTask<DeviceAuthenticationResult> AuthenticateWithDeviceAsync(D
                     {
                         CancellationToken = source.Token,
                         DeviceCode = request.DeviceCode,
+                        DisableUserinfoRetrieval = request.DisableUserinfo,
+                        DisableUserinfoValidation = request.DisableUserinfo,
                         GrantType = GrantTypes.DeviceCode,
                         Issuer = request.Issuer,
                         ProviderName = request.ProviderName,
@@ -773,6 +775,8 @@ public async ValueTask<PasswordAuthenticationResult> AuthenticateWithPasswordAsy
             var context = new ProcessAuthenticationContext(transaction)
             {
                 CancellationToken = request.CancellationToken,
+                DisableUserinfoRetrieval = request.DisableUserinfo,
+                DisableUserinfoValidation = request.DisableUserinfo,
                 GrantType = GrantTypes.Password,
                 Issuer = request.Issuer,
                 Password = request.Password,
@@ -868,6 +872,8 @@ public async ValueTask<RefreshTokenAuthenticationResult> AuthenticateWithRefresh
             var context = new ProcessAuthenticationContext(transaction)
             {
                 CancellationToken = request.CancellationToken,
+                DisableUserinfoRetrieval = request.DisableUserinfo,
+                DisableUserinfoValidation = request.DisableUserinfo,
                 GrantType = GrantTypes.RefreshToken,
                 Issuer = request.Issuer,
                 ProviderName = request.ProviderName,