I’m migrating from IdentityServer4 to OpenIddict. Previously, I had functionality that associated refresh tokens with sign-in sessions. This was done so that refresh tokens could be revoked if the corresponding session was invalidated.
Now, in OpenIddict, I’m unsure of the best practice to replicate this. Should I store the session ID in the token properties? Extend the token schema? Or add the sessionId to the authorization properties?
I tried setting the properties during sign-in:
var authProperties = new AuthenticationProperties(new Dictionary<string, string>
{
[OidcConstants.Claims.SessionId] = sessionId
});
// Returning a SignInResult will ask OpenIddict to issue the appropriate access/identity tokens.
return SignIn(claimsPrincipal, authProperties, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
However, the properties were not present in either the token or the authorization.
Should I instead decode the token payload and extract the sessionId claim from there? But if I’m using reference tokens, how would I handle that?