Unable to obtain ClaimsPrincipal with only a refreshtoken

[ramondeklein]

The LoginResult contains the User property that holds the ClaimsPrincipal of the user that is logged in. When the client is enabled for offline use, then the refresh token is stored in persistent (and secured) storage. When the application is terminated and started again, then the refresh token is used to obtain an access-token again.

Unfortunately, the RefreshTokenResult doesn't contain the User property, so it's not possible to recreate the ClaimsPrincipal besides doing this all by hand.

[ramondeklein]

The OidcClient.RefreshTokenAsync method does call ResponseProcessor.ValidateTokenResponseAsync and this method does include the principal. Unfortunately, this principal isn't passed to the RefreshTokenResult.

I understand that the ClaimsPrincipal returned by the ValidateTokenResponseAsync method only contains the claims from the identity token. When the LoadProfile option is set, then the ProcessResponseAsync will extend this principal with the claims from the userinfo endpoint.

I would suggest to add an optional parameter to RefreshTokenAsync to also return the User property. Or is there a reason why you explicitly don't want to do this? I could create a pull request to enable this functionality.

[leastprivilege]

Hi,

strictly speaking a refresh token return does not necessarily return an identity token - IIRC IdentityServer does that if initially an OIDC scope was involved. But don't make assumption that other STSes do it exactly like that.

but good idea - please propose a PR.

[DomsRoberts]

What happened to this? What is the correct way to currently refresh a token without losing the User Claims? It is not possible to create a new LoginResult from the RefreshToken and set the Claims in it as all of the properties have the setter internal.