Add OAuthIntrospectionOptions.NameClaimType/RoleClaimType and replace the legacy WS-Fed claim types by their JWT equivalent

Author: kevinchalet

src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionConstants.cs

@@ -15,7 +15,9 @@ public static class Claims
             public const string ExpiresAt = "exp";
             public const string IssuedAt = "iat";
             public const string JwtId = "jti";
+            public const string Name = "name";
             public const string NotBefore = "nbf";
+            public const string Role = "role";
             public const string Scope = "scope";
             public const string Subject = "sub";
             public const string TokenType = "token_type";

src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs

@@ -435,7 +435,7 @@ protected virtual bool ValidateAudience(AuthenticationTicket ticket)
 
         protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string token, JObject payload)
         {
-            var identity = new ClaimsIdentity(Options.AuthenticationScheme);
+            var identity = new ClaimsIdentity(Options.AuthenticationScheme, Options.NameClaimType, Options.RoleClaimType);
             var properties = new AuthenticationProperties();
 
             if (Options.SaveToken)
@@ -483,22 +483,6 @@ protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string toke
                         continue;
                     }
 
-                    // Add the subject identifier as a new ClaimTypes.NameIdentifier claim.
-                    case OAuthIntrospectionConstants.Claims.Subject:
-                    {
-                        identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, (string) property.Value));
-
-                        continue;
-                    }
-
-                    // Add the subject identifier as a new ClaimTypes.Name claim.
-                    case OAuthIntrospectionConstants.Claims.Username:
-                    {
-                        identity.AddClaim(new Claim(ClaimTypes.Name, (string) property.Value));
-
-                        continue;
-                    }
-
                     // Add the token identifier as a property on the authentication ticket.
                     case OAuthIntrospectionConstants.Claims.JwtId:
                     {

src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionOptions.cs

@@ -95,6 +95,16 @@ public OAuthIntrospectionOptions()
         /// </summary>
         public bool IncludeErrorDetails { get; set; } = true;
 
+        /// <summary>
+        /// Gets or sets the claim type used for the name claim.
+        /// </summary>
+        public string NameClaimType { get; set; } = OAuthIntrospectionConstants.Claims.Name;
+
+        /// <summary>
+        /// Gets or sets the claim type used for the role claim(s).
+        /// </summary>
+        public string RoleClaimType { get; set; } = OAuthIntrospectionConstants.Claims.Role;
+
         /// <summary>
         /// Gets or sets the cache used to store the authentication tickets
         /// resolved from the access tokens received by the resource server.

src/Owin.Security.OAuth.Introspection/OAuthIntrospectionConstants.cs

@@ -15,7 +15,9 @@ public static class Claims
             public const string ExpiresAt = "exp";
             public const string IssuedAt = "iat";
             public const string JwtId = "jti";
+            public const string Name = "name";
             public const string NotBefore = "nbf";
+            public const string Role = "role";
             public const string Scope = "scope";
             public const string Subject = "sub";
             public const string TokenType = "token_type";

src/Owin.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs

@@ -424,7 +424,7 @@ protected virtual bool ValidateAudience(AuthenticationTicket ticket)
 
         protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string token, JObject payload)
         {
-            var identity = new ClaimsIdentity(Options.AuthenticationType);
+            var identity = new ClaimsIdentity(Options.AuthenticationType, Options.NameClaimType, Options.RoleClaimType);
             var properties = new AuthenticationProperties();
 
             if (Options.SaveToken)

src/Owin.Security.OAuth.Introspection/OAuthIntrospectionOptions.cs

@@ -94,6 +94,16 @@ public OAuthIntrospectionOptions()
         /// </summary>
         public bool IncludeErrorDetails { get; set; } = true;
 
+        /// <summary>
+        /// Gets or sets the claim type used for the name claim.
+        /// </summary>
+        public string NameClaimType { get; set; } = OAuthIntrospectionConstants.Claims.Name;
+
+        /// <summary>
+        /// Gets or sets the claim type used for the role claim(s).
+        /// </summary>
+        public string RoleClaimType { get; set; } = OAuthIntrospectionConstants.Claims.Role;
+
         /// <summary>
         /// Gets or sets the cache used to store the authentication tickets
         /// resolved from the access tokens received by the resource server.