Update the documentation pages

configuration/authorization-storage.html

@@ -133,35 +133,58 @@ switch (await _applicationManager.GetConsentTypeAsync(application))
     case ConsentTypes.Implicit:
     case ConsentTypes.External when authorizations.Any():
     case ConsentTypes.Explicit when authorizations.Any() && !request.HasPrompt(Prompts.Consent):
-        var principal = await _signInManager.CreateUserPrincipalAsync(user);
+        // Create the claims-based identity that will be used by OpenIddict to generate tokens.
+        var identity = new ClaimsIdentity(
+            authenticationType: TokenValidationParameters.DefaultAuthenticationType,
+            nameType: Claims.Name,
+            roleType: Claims.Role);
+
+        // Add the claims that will be persisted in the tokens.
+        identity.SetClaim(Claims.Subject, await _userManager.GetUserIdAsync(user))
+                .SetClaim(Claims.Email, await _userManager.GetEmailAsync(user))
+                .SetClaim(Claims.Name, await _userManager.GetUserNameAsync(user))
+                .SetClaims(Claims.Role, (await _userManager.GetRolesAsync(user)).ToImmutableArray());
 
         // Note: in this sample, the granted scopes match the requested scope
         // but you may want to allow the user to uncheck specific scopes.
         // For that, simply restrict the list of scopes before calling SetScopes.
-        principal.SetScopes(request.GetScopes());
-        principal.SetResources(await _scopeManager.ListResourcesAsync(principal.GetScopes()).ToListAsync());
+        identity.SetScopes(request.GetScopes());
+        identity.SetResources(await _scopeManager.ListResourcesAsync(identity.GetScopes()).ToListAsync());
 
         // Automatically create a permanent authorization to avoid requiring explicit consent
         // for future authorization or token requests containing the same scopes.
         var authorization = authorizations.LastOrDefault();
-        if (authorization is null)
+        authorization ??= await _authorizationManager.CreateAsync(
+            identity: identity,
+            subject : await _userManager.GetUserIdAsync(user),
+            client  : await _applicationManager.GetIdAsync(application),
+            type    : AuthorizationTypes.Permanent,
+            scopes  : identity.GetScopes());
+
+        identity.SetAuthorizationId(await _authorizationManager.GetIdAsync(authorization));
+        identity.SetDestinations(static claim => claim.Type switch
         {
-            authorization = await _authorizationManager.CreateAsync(
-                principal: principal,
-                subject  : await _userManager.GetUserIdAsync(user),
-                client   : await _applicationManager.GetIdAsync(application),
-                type     : AuthorizationTypes.Permanent,
-                scopes   : principal.GetScopes());
-        }
+            // If the "profile" scope was granted, allow the "name" claim to be
+            // added to the access and identity tokens derived from the principal.
+            Claims.Name when claim.Subject.HasScope(Scopes.Profile) => new[]
+            {
+                OpenIddictConstants.Destinations.AccessToken,
+                OpenIddictConstants.Destinations.IdentityToken
+            },
 
-        principal.SetAuthorizationId(await _authorizationManager.GetIdAsync(authorization));
+            // Never add the "secret_value" claim to access or identity tokens.
+            // In this case, it will only be added to authorization codes,
+            // refresh tokens and user/device codes, that are always encrypted.
+            "secret_value" => Array.Empty<string>(),
 
-        foreach (var claim in principal.Claims)
-        {
-            claim.SetDestinations(GetDestinations(claim, principal));
-        }
+            // Otherwise, add the claim to the access tokens only.
+            _ => new[]
+            {
+                OpenIddictConstants.Destinations.AccessToken
+            }
+        });
 
-        return SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
+        return SignIn(new ClaimsPrincipal(identity), OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
 
     // At this point, no authorization was found in the database and an error must be returned
     // if the client application specified prompt=none in the authorization request.

index.html

@@ -264,7 +264,7 @@ To reference the OpenIddict MyGet feed, <strong>create a <code>NuGet.config</cod
 <p><strong>OpenIddict</strong> is actively maintained by <strong><a href="https://github.com/kevinchalet">Kévin Chalet</a></strong>. Contributions are welcome and can be submitted using pull requests.</p>
 <p><strong>Special thanks to <a href="https://github.com/sponsors/kevinchalet#sponsors">our sponsors</a> for their incredible support</strong>:</p>
 <p><a href="https://volosoft.com/"><img src="https://volosoft.com/assets/logos/volosoft-logo-dark.svg" width="500px" alt="Volosoft logo"></a></p>
-<p><!-- sponsors --><a href="https://github.com/sebastienros"><img src="https://github.com/sebastienros.png" width="60px" alt="Sébastien Ros"></a><a href="https://github.com/GDreyV"><img src="https://github.com/GDreyV.png" width="60px" alt="Andrew"></a><a href="https://github.com/gustavdw"><img src="https://github.com/gustavdw.png" width="60px" alt=""></a><a href="https://github.com/schmitch"><img src="https://github.com/schmitch.png" width="60px" alt="Schmitt Christian"></a><a href="https://github.com/ThreeScreenStudios"><img src="https://github.com/ThreeScreenStudios.png" width="60px" alt="Thomas W"></a><a href="https://github.com/cryo75"><img src="https://github.com/cryo75.png" width="60px" alt=""></a><a href="https://github.com/florianwachs"><img src="https://github.com/florianwachs.png" width="60px" alt="Florian Wachs"></a><a href="https://github.com/communicatie-cockpit"><img src="https://github.com/communicatie-cockpit.png" width="60px" alt="Communicatie Cockpit"></a><a href="https://github.com/KeithT"><img src="https://github.com/KeithT.png" width="60px" alt=""></a><a href="https://github.com/WGMurray"><img src="https://github.com/WGMurray.png" width="60px" alt=""></a><a href="https://github.com/Skrypt"><img src="https://github.com/Skrypt.png" width="60px" alt="Jasmin Savard"></a><a href="https://github.com/ThomasBjallas"><img src="https://github.com/ThomasBjallas.png" width="60px" alt="Thomas"></a><a href="https://github.com/mcalasa"><img src="https://github.com/mcalasa.png" width="60px" alt="Michael Calasanz"></a><a href="https://github.com/feededit"><img src="https://github.com/feededit.png" width="60px" alt=""></a><a href="https://github.com/DigitalOpsDev"><img src="https://github.com/DigitalOpsDev.png" width="60px" alt="DigitalOps Co. Ltd."></a><a href="https://github.com/jacojvv-dev"><img src="https://github.com/jacojvv-dev.png" width="60px" alt="Jaco Jansen van Vuuren"></a><a href="https://github.com/EYERIDE-Fleet-Management-System"><img src="https://github.com/EYERIDE-Fleet-Management-System.png" width="60px" alt="EYERIDE Fleet Management System"></a><a href="https://github.com/salimz1"><img src="https://github.com/salimz1.png" width="60px" alt=""></a><a href="https://github.com/hypdeb"><img src="https://github.com/hypdeb.png" width="60px" alt="Julien Debache"></a><a href="https://github.com/StanlyLife"><img src="https://github.com/StanlyLife.png" width="60px" alt="Stian Håve"></a><a href="https://github.com/ravindUwU"><img src="https://github.com/ravindUwU.png" width="60px" alt="Ravindu Liyanapathirana"></a><a href="https://github.com/dlandi"><img src="https://github.com/dlandi.png" width="60px" alt="HieronymusBlaze"></a><a href="https://github.com/ahanoff"><img src="https://github.com/ahanoff.png" width="60px" alt="Akhan Zhakiyanov"></a><a href="https://github.com/InFarAday"><img src="https://github.com/InFarAday.png" width="60px" alt="Corentin BROSSUTTI"></a><a href="https://github.com/rezstream"><img src="https://github.com/rezstream.png" width="60px" alt="rezStream"></a><a href="https://github.com/matthias-jauernig"><img src="https://github.com/matthias-jauernig.png" width="60px" alt=""></a><!-- sponsors --></p>
+<p><!-- sponsors --><a href="https://github.com/sebastienros"><img src="https://github.com/sebastienros.png" width="60px" alt="Sébastien Ros"></a><a href="https://github.com/schmitch"><img src="https://github.com/schmitch.png" width="60px" alt="Schmitt Christian"></a><a href="https://github.com/cryo75"><img src="https://github.com/cryo75.png" width="60px" alt=""></a><a href="https://github.com/florianwachs"><img src="https://github.com/florianwachs.png" width="60px" alt="Florian Wachs"></a><a href="https://github.com/SebastianStehle"><img src="https://github.com/SebastianStehle.png" width="60px" alt="Sebastian Stehle"></a><a href="https://github.com/communicatie-cockpit"><img src="https://github.com/communicatie-cockpit.png" width="60px" alt="Communicatie Cockpit"></a><a href="https://github.com/KeithT"><img src="https://github.com/KeithT.png" width="60px" alt=""></a><a href="https://github.com/Skrypt"><img src="https://github.com/Skrypt.png" width="60px" alt="Jasmin Savard"></a><a href="https://github.com/ThomasBjallas"><img src="https://github.com/ThomasBjallas.png" width="60px" alt="Thomas"></a><a href="https://github.com/mcalasa"><img src="https://github.com/mcalasa.png" width="60px" alt="Michael Calasanz"></a><a href="https://github.com/feededit"><img src="https://github.com/feededit.png" width="60px" alt=""></a><a href="https://github.com/DigitalOpsDev"><img src="https://github.com/DigitalOpsDev.png" width="60px" alt="DigitalOps Co. Ltd."></a><a href="https://github.com/jacojvv-dev"><img src="https://github.com/jacojvv-dev.png" width="60px" alt="Jaco Jansen van Vuuren"></a><a href="https://github.com/EYERIDE-Fleet-Management-System"><img src="https://github.com/EYERIDE-Fleet-Management-System.png" width="60px" alt="EYERIDE Fleet Management System"></a><a href="https://github.com/salimz1"><img src="https://github.com/salimz1.png" width="60px" alt=""></a><a href="https://github.com/hypdeb"><img src="https://github.com/hypdeb.png" width="60px" alt="Julien Debache"></a><a href="https://github.com/StanlyLife"><img src="https://github.com/StanlyLife.png" width="60px" alt="Stian Håve"></a><a href="https://github.com/ravindUwU"><img src="https://github.com/ravindUwU.png" width="60px" alt="Ravindu Liyanapathirana"></a><a href="https://github.com/dlandi"><img src="https://github.com/dlandi.png" width="60px" alt="HieronymusBlaze"></a><a href="https://github.com/ahanoff"><img src="https://github.com/ahanoff.png" width="60px" alt="Akhan Zhakiyanov"></a><a href="https://github.com/InFarAday"><img src="https://github.com/InFarAday.png" width="60px" alt="Corentin BROSSUTTI"></a><a href="https://github.com/rezstream"><img src="https://github.com/rezstream.png" width="60px" alt="rezStream"></a><a href="https://github.com/matthias-jauernig"><img src="https://github.com/matthias-jauernig.png" width="60px" alt=""></a><a href="https://github.com/blowdart"><img src="https://github.com/blowdart.png" width="60px" alt="Barry Dorrans"></a><a href="https://github.com/devqsrl"><img src="https://github.com/devqsrl.png" width="60px" alt="DevQ S.r.l."></a><a href="https://github.com/dgxhubbard"><img src="https://github.com/dgxhubbard.png" width="60px" alt=""></a><!-- sponsors --></p>
 <hr>
 <h2 id="license">License</h2>
 <p>This project is licensed under the <strong>Apache License</strong>. This means that you can use, modify and distribute it freely.

manifest.json

@@ -21,7 +21,7 @@
       "output": {
         ".html": {
           "relative_path": "configuration/authorization-storage.html",
-          "hash": "FnAm0BQOUaOxQeMzXAOb7Q=="
+          "hash": "cBu8HeK5bhvKPqfWUPJYHA=="
         }
       },
       "is_incremental": false,
@@ -1694,7 +1694,7 @@
       "output": {
         ".html": {
           "relative_path": "index.html",
-          "hash": "K4hqY9RUWtjWvQdIiJnyDg=="
+          "hash": "JgzHNxC2gF5ZVWf6QQo2Aw=="
         }
       },
       "is_incremental": false,