Add refresh token support to BearerTokenHandler

- Integrate with identity to check security stamp and refresh user from store

Author: halter73

src/Http/Authentication.Abstractions/src/AuthenticationProperties.cs

@@ -16,6 +16,7 @@ public class AuthenticationProperties
     internal const string IsPersistentKey = ".persistent";
     internal const string RedirectUriKey = ".redirect";
     internal const string RefreshKey = ".refresh";
+    internal const string RefreshTokenKey = ".refreshToken";
     internal const string UtcDateTimeFormat = "r";
 
     /// <summary>
@@ -116,6 +117,15 @@ public bool? AllowRefresh
         set => SetBool(RefreshKey, value);
     }
 
+    /// <summary>
+    /// If set, the token must be valid for sign in to continue.
+    /// </summary>
+    public string? RefreshToken
+    {
+        get => GetParameter<string?>(RefreshTokenKey);
+        set => SetParameter<string?>(RefreshTokenKey, value);
+    }
+
     /// <summary>
     /// Get a string value from the <see cref="Items"/> collection.
     /// </summary>

src/Http/Authentication.Abstractions/src/PublicAPI.Unshipped.txt

@@ -2,3 +2,5 @@
 Microsoft.AspNetCore.Authentication.AuthenticationFailureException
 Microsoft.AspNetCore.Authentication.AuthenticationFailureException.AuthenticationFailureException(string? message) -> void
 Microsoft.AspNetCore.Authentication.AuthenticationFailureException.AuthenticationFailureException(string? message, System.Exception? innerException) -> void
+Microsoft.AspNetCore.Authentication.AuthenticationProperties.RefreshToken.get -> string?
+Microsoft.AspNetCore.Authentication.AuthenticationProperties.RefreshToken.set -> void

src/Identity/Core/src/DTO/RefreshRequest.cs

@@ -0,0 +1,9 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+namespace Microsoft.AspNetCore.Identity.DTO;
+
+internal sealed class RefreshRequest
+{
+    public required string RefreshToken { get; init; }
+}

src/Identity/Core/src/IdentityApiEndpointRouteBuilderExtensions.cs

@@ -2,6 +2,8 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System.Linq;
+using System.Security.Claims;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.BearerToken.DTO;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
@@ -18,6 +20,7 @@ namespace Microsoft.AspNetCore.Routing;
 /// </summary>
 public static class IdentityApiEndpointRouteBuilderExtensions
 {
+
     /// <summary>
     /// Add endpoints for registering, logging in, and logging out using ASP.NET Core Identity.
     /// </summary>
@@ -72,6 +75,20 @@ public static class IdentityApiEndpointRouteBuilderExtensions
             return TypedResults.SignIn(claimsPrincipal, authenticationScheme: scheme);
         });
 
+        routeGroup.MapPost("/refresh", Results<UnauthorizedHttpResult, Ok<AccessTokenResponse>, SignInHttpResult>
+            ([FromBody] RefreshRequest refreshRequest) =>
+        {
+            // This is the minimal principal that IsAuthenticated. The BearerTokenHander will recreate the full principal
+            // from the refresh token if it is able. The sign in will fail without an identity name.
+            var refreshPrincipal =  new ClaimsPrincipal(new ClaimsIdentity(IdentityConstants.BearerScheme));
+            var properties = new AuthenticationProperties
+            {
+                RefreshToken = refreshRequest.RefreshToken
+            };
+
+            return TypedResults.SignIn(refreshPrincipal, properties, IdentityConstants.BearerScheme);
+        });
+
         return new IdentityEndpointsConventionBuilder(routeGroup);
     }
 

src/Identity/Core/src/IdentityApiEndpointsIdentityBuilderExtensions.cs

@@ -0,0 +1,64 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.BearerToken;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Microsoft.AspNetCore.Identity;
+
+/// <summary>
+/// Extension methods to enable bearer token authentication for use with identity.
+/// </summary>
+public static class IdentityAuthenticationBuilderExtensions
+{
+    /// <summary>
+    /// Adds cookie authentication.
+    /// </summary>
+    /// <param name="builder">The current <see cref="AuthenticationBuilder"/> instance.</param>
+    /// <returns>The <see cref="AuthenticationBuilder"/>.</returns>
+    public static AuthenticationBuilder AddIdentityBearerToken<TUser>(this AuthenticationBuilder builder)
+        where TUser : class, new()
+        => builder.AddIdentityBearerToken<TUser>(o => { });
+
+    /// <summary>
+    /// Adds the cookie authentication needed for sign in manager.
+    /// </summary>
+    /// <param name="builder">The current <see cref="AuthenticationBuilder"/> instance.</param>
+    /// <param name="configureOptions">Action used to configure the bearer token handler.</param>
+    /// <returns>The <see cref="AuthenticationBuilder"/>.</returns>
+    public static AuthenticationBuilder AddIdentityBearerToken<TUser>(this AuthenticationBuilder builder, Action<BearerTokenOptions> configureOptions)
+        where TUser : class, new()
+    {
+        ArgumentNullException.ThrowIfNull(builder);
+        ArgumentNullException.ThrowIfNull(configureOptions);
+
+        return builder.AddBearerToken(IdentityConstants.BearerScheme, bearerOptions =>
+        {
+            bearerOptions.Events.OnSigningIn = HandleSigningIn<TUser>;
+            configureOptions(bearerOptions);
+        });
+    }
+
+    private static async Task HandleSigningIn<TUser>(SigningInContext signInContext)
+        where TUser : class, new()
+    {
+        // Only validate the security stamp and refresh the user from the store during /refresh
+        // not during the initial /login when the Principal is already newly created from the store.
+        if (signInContext.Properties.RefreshToken is null)
+        {
+            return;
+        }
+
+        var signInManager = signInContext.HttpContext.RequestServices.GetRequiredService<SignInManager<TUser>>();
+
+        // Reject the /refresh attempt if the security stamp validation fails which will result in a 401 challenge.
+        if (await signInManager.ValidateSecurityStampAsync(signInContext.Principal) is not TUser user)
+        {
+            signInContext.Principal = null;
+            return;
+        }
+
+        signInContext.Principal = await signInManager.CreateUserPrincipalAsync(user);
+    }
+}

src/Identity/Core/src/IdentityApiEndpointsServiceCollectionExtensions.cs

@@ -2,6 +2,10 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System.Diagnostics.CodeAnalysis;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.BearerToken;
+using Microsoft.AspNetCore.Http.Json;
+using Microsoft.AspNetCore.Routing;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Options;
@@ -79,6 +83,22 @@ public static IdentityBuilder AddSignInManager(this IdentityBuilder builder)
         return builder;
     }
 
+    /// <summary>
+    /// Adds configuration ans services needed to support <see cref="IdentityApiEndpointRouteBuilderExtensions.MapIdentityApi{TUser}(IEndpointRouteBuilder)"/>
+    /// but does not configure authentication. Call <see cref="BearerTokenExtensions.AddBearerToken(AuthenticationBuilder, Action{BearerTokenOptions}?)"/> and/or
+    /// <see cref="IdentityCookieAuthenticationBuilderExtensions.AddIdentityCookies(AuthenticationBuilder)"/> to configure authentication separately.
+    /// </summary>
+    /// <param name="builder">The <see cref="IdentityBuilder"/>.</param>
+    /// <returns>The <see cref="IdentityBuilder"/>.</returns>
+    public static IdentityBuilder AddApiEndpoints(this IdentityBuilder builder)
+    {
+        ArgumentNullException.ThrowIfNull(builder);
+
+        builder.AddSignInManager();
+        builder.Services.TryAddEnumerable(ServiceDescriptor.Singleton<IConfigureOptions<JsonOptions>, IdentityEndpointsJsonOptionsSetup>());
+        return builder;
+    }
+
     // Set TimeProvider from DI on all options instances, if not already set by tests.
     private sealed class PostConfigureSecurityStampValidatorOptions : IPostConfigureOptions<SecurityStampValidatorOptions>
     {

src/Identity/Core/src/IdentityAuthenticationBuilderExtensions.cs

@@ -2,10 +2,15 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System.Diagnostics.CodeAnalysis;
+using System.Security.Claims;
+using System.Text.Encodings.Web;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Routing;
 using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 
 namespace Microsoft.Extensions.DependencyInjection;
@@ -109,6 +114,47 @@ public static class IdentityServiceCollectionExtensions
         return new IdentityBuilder(typeof(TUser), typeof(TRole), services);
     }
 
+    /// <summary>
+    /// Adds a set of common identity services to the application to support <see cref="IdentityApiEndpointRouteBuilderExtensions.MapIdentityApi{TUser}(IEndpointRouteBuilder)"/>
+    /// and configures authentication to support identity bearer tokens and cookies.
+    /// </summary>
+    /// <param name="services">The <see cref="IServiceCollection"/>.</param>
+    /// <returns>The <see cref="IdentityBuilder"/>.</returns>
+    public static IdentityBuilder AddIdentityApiEndpoints<TUser>(this IServiceCollection services)
+        where TUser : class, new()
+        => services.AddIdentityApiEndpoints<TUser>(_ => { });
+
+    /// <summary>
+    /// Adds a set of common identity services to the application to support <see cref="IdentityApiEndpointRouteBuilderExtensions.MapIdentityApi{TUser}(IEndpointRouteBuilder)"/>
+    /// and configures authentication to support identity bearer tokens and cookies.
+    /// </summary>
+    /// <param name="services">The <see cref="IServiceCollection"/>.</param>
+    /// <param name="configure">Configures the <see cref="IdentityOptions"/>.</param>
+    /// <returns>The <see cref="IdentityBuilder"/>.</returns>
+    public static IdentityBuilder AddIdentityApiEndpoints<TUser>(this IServiceCollection services, Action<IdentityOptions> configure)
+        where TUser : class, new()
+    {
+        ArgumentNullException.ThrowIfNull(services);
+        ArgumentNullException.ThrowIfNull(configure);
+
+        services
+            .AddAuthentication(IdentityConstants.BearerAndApplicationScheme)
+            .AddScheme<AuthenticationSchemeOptions, CompositeIdentityHandler>(IdentityConstants.BearerAndApplicationScheme, null, compositeOptions =>
+            {
+                compositeOptions.ForwardDefault = IdentityConstants.BearerScheme;
+                compositeOptions.ForwardAuthenticate = IdentityConstants.BearerAndApplicationScheme;
+            })
+            .AddIdentityBearerToken<TUser>()
+            .AddIdentityCookies();
+
+        return services.AddIdentityCore<TUser>(o =>
+            {
+                o.Stores.MaxLengthForKeys = 128;
+                configure(o);
+            })
+            .AddApiEndpoints();
+    }
+
     /// <summary>
     /// Configures the application cookie.
     /// </summary>
@@ -141,4 +187,32 @@ public void PostConfigure(string? name, SecurityStampValidatorOptions options)
             options.TimeProvider ??= TimeProvider;
         }
     }
+
+    private sealed class CompositeIdentityHandler(IOptionsMonitor<AuthenticationSchemeOptions> options, ILoggerFactory logger, UrlEncoder encoder)
+        : SignInAuthenticationHandler<AuthenticationSchemeOptions>(options, logger, encoder)
+    {
+        protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
+        {
+            var bearerResult = await Context.AuthenticateAsync(IdentityConstants.BearerScheme);
+
+            // Only try to authenticate with the application cookie if there is no bearer token.
+            if (!bearerResult.None)
+            {
+                return bearerResult;
+            }
+
+            // Cookie auth will return AuthenticateResult.NoResult() like bearer auth just did if there is no cookie.
+            return await Context.AuthenticateAsync(IdentityConstants.ApplicationScheme);
+        }
+
+        protected override Task HandleSignInAsync(ClaimsPrincipal user, AuthenticationProperties? properties)
+        {
+            throw new NotImplementedException();
+        }
+
+        protected override Task HandleSignOutAsync(AuthenticationProperties? properties)
+        {
+            throw new NotImplementedException();
+        }
+    }
 }