[pull] dev from openiddict:dev

.editorconfig

@@ -97,6 +97,7 @@ csharp_using_directive_placement = outside_namespace
 dotnet_code_quality_unused_parameters = all
 dotnet_diagnostic.CA1510.severity = none
 dotnet_diagnostic.CA2254.severity = none
+dotnet_diagnostic.IDE0002.severity = none
 dotnet_diagnostic.IDE0305.severity = none
 dotnet_naming_rule.interface_should_be_begins_with_i.severity = suggestion
 dotnet_naming_rule.interface_should_be_begins_with_i.style = begins_with_i

eng/Versions.props

@@ -5,9 +5,9 @@
     <MinorVersion>0</MinorVersion>
     <PatchVersion>0</PatchVersion>
     <VersionPrefix>$(MajorVersion).$(MinorVersion).$(PatchVersion)</VersionPrefix>
-    <PreReleaseVersionLabel>preview1</PreReleaseVersionLabel>
+    <PreReleaseVersionLabel>preview2</PreReleaseVersionLabel>
     <PreReleaseVersionIteration></PreReleaseVersionIteration>
-    <PreReleaseBrandingLabel>Preview 1</PreReleaseBrandingLabel>
+    <PreReleaseBrandingLabel>Preview 2</PreReleaseBrandingLabel>
     <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">false</StabilizePackageVersion>
     <DotNetFinalVersionKind Condition=" '$(StabilizePackageVersion)' == 'true' ">release</DotNetFinalVersionKind>
     <IncludePreReleaseLabelInPackageVersion>true</IncludePreReleaseLabelInPackageVersion>

global.json

@@ -10,7 +10,7 @@
 
     "runtimes": {
       "aspnetcore": [
-        "6.0.32",
+        "6.0.33",
         "8.0.8"
       ]
     }

sandbox/OpenIddict.Sandbox.AspNet.Server/Controllers/AuthorizationController.cs

@@ -139,7 +139,7 @@ public async Task<ActionResult> Authorize()
             // return an authorization response without displaying the consent form.
             case ConsentTypes.Implicit:
             case ConsentTypes.External when authorizations.Count is not 0:
-            case ConsentTypes.Explicit when authorizations.Count is not 0 && !request.HasPrompt(Prompts.Consent):
+            case ConsentTypes.Explicit when authorizations.Count is not 0 && !request.HasPrompt(PromptValues.Consent):
                 // Create the claims-based identity that will be used by OpenIddict to generate tokens.
                 var identity = new ClaimsIdentity(
                     authenticationType: OpenIddictServerOwinDefaults.AuthenticationType,
@@ -178,8 +178,8 @@ public async Task<ActionResult> Authorize()
 
             // At this point, no authorization was found in the database and an error must be returned
             // if the client application specified prompt=none in the authorization request.
-            case ConsentTypes.Explicit   when request.HasPrompt(Prompts.None):
-            case ConsentTypes.Systematic when request.HasPrompt(Prompts.None):
+            case ConsentTypes.Explicit   when request.HasPrompt(PromptValues.None):
+            case ConsentTypes.Systematic when request.HasPrompt(PromptValues.None):
                 context.Authentication.Challenge(
                     authenticationTypes: OpenIddictServerOwinDefaults.AuthenticationType,
                     properties: new AuthenticationProperties(new Dictionary<string, string>

sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/AuthorizationController.cs

@@ -71,13 +71,13 @@ public async Task<IActionResult> Authorize()
         // For scenarios where the default authentication handler configured in the ASP.NET Core
         // authentication options shouldn't be used, a specific scheme can be specified here.
         var result = await HttpContext.AuthenticateAsync();
-        if (result == null || !result.Succeeded || request.HasPrompt(Prompts.Login) ||
+        if (result == null || !result.Succeeded || request.HasPrompt(PromptValues.Login) ||
            (request.MaxAge != null && result.Properties?.IssuedUtc != null &&
             DateTimeOffset.UtcNow - result.Properties.IssuedUtc > TimeSpan.FromSeconds(request.MaxAge.Value)))
         {
             // If the client application requested promptless authentication,
             // return an error indicating that the user is not logged in.
-            if (request.HasPrompt(Prompts.None))
+            if (request.HasPrompt(PromptValues.None))
             {
                 return Forbid(
                     authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
@@ -90,7 +90,7 @@ public async Task<IActionResult> Authorize()
 
             // To avoid endless login -> authorization redirects, the prompt=login flag
             // is removed from the authorization request payload before redirecting the user.
-            var prompt = string.Join(" ", request.GetPrompts().Remove(Prompts.Login));
+            var prompt = string.Join(" ", request.GetPrompts().Remove(PromptValues.Login));
 
             var parameters = Request.HasFormContentType ?
                 Request.Form.Where(parameter => parameter.Key != Parameters.Prompt).ToList() :
@@ -173,7 +173,7 @@ public async Task<IActionResult> Authorize()
             // return an authorization response without displaying the consent form.
             case ConsentTypes.Implicit:
             case ConsentTypes.External when authorizations.Count is not 0:
-            case ConsentTypes.Explicit when authorizations.Count is not 0 && !request.HasPrompt(Prompts.Consent):
+            case ConsentTypes.Explicit when authorizations.Count is not 0 && !request.HasPrompt(PromptValues.Consent):
                 // Create the claims-based identity that will be used by OpenIddict to generate tokens.
                 var identity = new ClaimsIdentity(
                     authenticationType: TokenValidationParameters.DefaultAuthenticationType,
@@ -210,8 +210,8 @@ public async Task<IActionResult> Authorize()
 
             // At this point, no authorization was found in the database and an error must be returned
             // if the client application specified prompt=none in the authorization request.
-            case ConsentTypes.Explicit   when request.HasPrompt(Prompts.None):
-            case ConsentTypes.Systematic when request.HasPrompt(Prompts.None):
+            case ConsentTypes.Explicit   when request.HasPrompt(PromptValues.None):
+            case ConsentTypes.Systematic when request.HasPrompt(PromptValues.None):
                 return Forbid(
                     authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
                     properties: new AuthenticationProperties(new Dictionary<string, string>

src/OpenIddict.Abstractions/Managers/IOpenIddictAuthorizationManager.cs

@@ -394,6 +394,22 @@ IAsyncEnumerable<TResult> ListAsync<TState, TResult>(
     /// <returns>The number of authorizations that were removed.</returns>
     ValueTask<long> PruneAsync(DateTimeOffset threshold, CancellationToken cancellationToken = default);
 
+    /// <summary>
+    /// Revokes all the authorizations associated with the specified application identifier.
+    /// </summary>
+    /// <param name="identifier">The application identifier associated with the authorizations.</param>
+    /// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
+    /// <returns>The number of authorizations associated with the specified application that were marked as revoked.</returns>
+    ValueTask<long> RevokeByApplicationIdAsync(string identifier, CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Revokes all the authorizations associated with the specified subject.
+    /// </summary>
+    /// <param name="subject">The subject associated with the authorizations.</param>
+    /// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
+    /// <returns>The number of authorizations associated with the specified subject that were marked as revoked.</returns>
+    ValueTask<long> RevokeBySubjectAsync(string subject, CancellationToken cancellationToken = default);
+
     /// <summary>
     /// Tries to revoke an authorization.
     /// </summary>

src/OpenIddict.Abstractions/Managers/IOpenIddictTokenManager.cs

@@ -409,6 +409,14 @@ IAsyncEnumerable<TResult> ListAsync<TState, TResult>(
     /// <returns>The number of tokens that were removed.</returns>
     ValueTask<long> PruneAsync(DateTimeOffset threshold, CancellationToken cancellationToken = default);
 
+    /// <summary>
+    /// Revokes all the tokens associated with the specified application identifier.
+    /// </summary>
+    /// <param name="identifier">The application identifier associated with the tokens.</param>
+    /// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
+    /// <returns>The number of tokens associated with the specified application that were marked as revoked.</returns>
+    ValueTask<long> RevokeByApplicationIdAsync(string identifier, CancellationToken cancellationToken = default);
+
     /// <summary>
     /// Revokes all the tokens associated with the specified authorization identifier.
     /// </summary>
@@ -417,6 +425,14 @@ IAsyncEnumerable<TResult> ListAsync<TState, TResult>(
     /// <returns>The number of tokens associated with the specified authorization that were marked as revoked.</returns>
     ValueTask<long> RevokeByAuthorizationIdAsync(string identifier, CancellationToken cancellationToken = default);
 
+    /// <summary>
+    /// Revokes all the tokens associated with the specified subject.
+    /// </summary>
+    /// <param name="subject">The subject associated with the tokens.</param>
+    /// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
+    /// <returns>The number of tokens associated with the specified subject that were marked as revoked.</returns>
+    ValueTask<long> RevokeBySubjectAsync(string subject, CancellationToken cancellationToken = default);
+
     /// <summary>
     /// Tries to redeem a token.
     /// </summary>

src/OpenIddict.Abstractions/OpenIddictConstants.cs

@@ -295,6 +295,7 @@ public static class Metadata
         public const string MtlsEndpointAliases = "mtls_endpoint_aliases";
         public const string OpPolicyUri = "op_policy_uri";
         public const string OpTosUri = "op_tos_uri";
+        public const string PromptValuesSupported = "prompt_values_supported";
         public const string RequestObjectEncryptionAlgValuesSupported = "request_object_encryption_alg_values_supported";
         public const string RequestObjectEncryptionEncValuesSupported = "request_object_encryption_enc_values_supported";
         public const string RequestObjectSigningAlgValuesSupported = "request_object_signing_alg_values_supported";
@@ -430,9 +431,10 @@ public static class Scopes
         }
     }
 
-    public static class Prompts
+    public static class PromptValues
     {
         public const string Consent = "consent";
+        public const string Create = "create";
         public const string Login = "login";
         public const string None = "none";
         public const string SelectAccount = "select_account";

src/OpenIddict.Abstractions/OpenIddictResources.resx

@@ -365,12 +365,6 @@ Consider using 'options.AddSigningCredentials(SigningCredentials)' instead.</val
   <data name="ID0072" xml:space="preserve">
     <value>Endpoint URIs must be valid URIs.</value>
   </data>
-  <data name="ID0073" xml:space="preserve">
-    <value>Claims cannot be null or empty.</value>
-  </data>
-  <data name="ID0074" xml:space="preserve">
-    <value>Scopes cannot be null or empty.</value>
-  </data>
   <data name="ID0075" xml:space="preserve">
     <value>The security token handler cannot be null.</value>
   </data>
@@ -1704,6 +1698,9 @@ To apply post-logout redirection responses, create a class implementing 'IOpenId
   <data name="ID0456" xml:space="preserve">
     <value>The specified client authentication method/token binding methods combination is not valid.</value>
   </data>
+  <data name="ID0457" xml:space="preserve">
+    <value>The '{0}' parameter cannot contain null or empty values.</value>
+  </data>
   <data name="ID2000" xml:space="preserve">
     <value>The security token is missing.</value>
   </data>
@@ -2379,7 +2376,7 @@ The principal used to create the token contained the following claims: {Claims}.
     <value>The authorization request was rejected because the '{Scope}' scope was missing.</value>
   </data>
   <data name="ID6040" xml:space="preserve">
-    <value>The authorization request was rejected because an invalid prompt parameter was specified.</value>
+    <value>The authorization request was rejected because an invalid prompt combination was specified.</value>
   </data>
   <data name="ID6041" xml:space="preserve">
     <value>The authorization request was rejected because the specified code challenge method was not supported.</value>
@@ -2892,6 +2889,9 @@ This may indicate that the hashed entry is corrupted or malformed.</value>
   <data name="ID6232" xml:space="preserve">
     <value>An error was returned by ASWebAuthenticationSession while trying to start a sign-out operation.</value>
   </data>
+  <data name="ID6233" xml:space="preserve">
+    <value>The authorization request was rejected because an unsupported prompt parameter was specified.</value>
+  </data>
   <data name="ID8000" xml:space="preserve">
     <value>https://documentation.openiddict.com/errors/{0}</value>
   </data>

src/OpenIddict.Abstractions/Stores/IOpenIddictAuthorizationStore.cs

@@ -279,6 +279,22 @@ IAsyncEnumerable<TResult> ListAsync<TState, TResult>(
     /// <returns>The number of authorizations that were removed.</returns>
     ValueTask<long> PruneAsync(DateTimeOffset threshold, CancellationToken cancellationToken);
 
+    /// <summary>
+    /// Revokes all the authorizations associated with the specified application identifier.
+    /// </summary>
+    /// <param name="identifier">The application identifier associated with the authorizations.</param>
+    /// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
+    /// <returns>The number of authorizations associated with the specified application that were marked as revoked.</returns>
+    ValueTask<long> RevokeByApplicationIdAsync(string identifier, CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Revokes all the authorizations associated with the specified subject.
+    /// </summary>
+    /// <param name="subject">The subject associated with the authorizations.</param>
+    /// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
+    /// <returns>The number of authorizations associated with the specified subject that were marked as revoked.</returns>
+    ValueTask<long> RevokeBySubjectAsync(string subject, CancellationToken cancellationToken = default);
+
     /// <summary>
     /// Sets the application identifier associated with an authorization.
     /// </summary>

src/OpenIddict.Abstractions/Stores/IOpenIddictTokenStore.cs

@@ -326,6 +326,14 @@ IAsyncEnumerable<TResult> ListAsync<TState, TResult>(
     /// <returns>The number of tokens that were removed.</returns>
     ValueTask<long> PruneAsync(DateTimeOffset threshold, CancellationToken cancellationToken);
 
+    /// <summary>
+    /// Revokes all the tokens associated with the specified application identifier.
+    /// </summary>
+    /// <param name="identifier">The application identifier associated with the tokens.</param>
+    /// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
+    /// <returns>The number of tokens associated with the specified application that were marked as revoked.</returns>
+    ValueTask<long> RevokeByApplicationIdAsync(string identifier, CancellationToken cancellationToken = default);
+
     /// <summary>
     /// Revokes all the tokens associated with the specified authorization identifier.
     /// </summary>
@@ -334,6 +342,14 @@ IAsyncEnumerable<TResult> ListAsync<TState, TResult>(
     /// <returns>The number of tokens associated with the specified authorization that were marked as revoked.</returns>
     ValueTask<long> RevokeByAuthorizationIdAsync(string identifier, CancellationToken cancellationToken);
 
+    /// <summary>
+    /// Revokes all the tokens associated with the specified subject.
+    /// </summary>
+    /// <param name="subject">The subject associated with the tokens.</param>
+    /// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
+    /// <returns>The number of tokens associated with the specified subject that were marked as revoked.</returns>
+    ValueTask<long> RevokeBySubjectAsync(string subject, CancellationToken cancellationToken = default);
+
     /// <summary>
     /// Sets the application identifier associated with a token.
     /// </summary>

src/OpenIddict.Core/Managers/OpenIddictAuthorizationManager.cs

@@ -1028,6 +1028,38 @@ public virtual async ValueTask PopulateAsync(
     public virtual ValueTask<long> PruneAsync(DateTimeOffset threshold, CancellationToken cancellationToken = default)
         => Store.PruneAsync(threshold, cancellationToken);
 
+    /// <summary>
+    /// Revokes all the authorizations associated with the specified application identifier.
+    /// </summary>
+    /// <param name="identifier">The application identifier associated with the authorizations.</param>
+    /// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
+    /// <returns>The number of authorizations associated with the specified application that were marked as revoked.</returns>
+    public virtual ValueTask<long> RevokeByApplicationIdAsync(string identifier, CancellationToken cancellationToken = default)
+    {
+        if (string.IsNullOrEmpty(identifier))
+        {
+            throw new ArgumentException(SR.GetResourceString(SR.ID0195), nameof(identifier));
+        }
+
+        return Store.RevokeByApplicationIdAsync(identifier, cancellationToken);
+    }
+
+    /// <summary>
+    /// Revokes all the authorizations associated with the specified subject.
+    /// </summary>
+    /// <param name="subject">The subject associated with the authorizations.</param>
+    /// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
+    /// <returns>The number of authorizations associated with the specified subject that were marked as revoked.</returns>
+    public virtual ValueTask<long> RevokeBySubjectAsync(string subject, CancellationToken cancellationToken = default)
+    {
+        if (string.IsNullOrEmpty(subject))
+        {
+            throw new ArgumentException(SR.GetResourceString(SR.ID0195), nameof(subject));
+        }
+
+        return Store.RevokeBySubjectAsync(subject, cancellationToken);
+    }
+
     /// <summary>
     /// Tries to revoke an authorization.
     /// </summary>
@@ -1337,6 +1369,14 @@ ValueTask IOpenIddictAuthorizationManager.PopulateAsync(object authorization, Op
     ValueTask<long> IOpenIddictAuthorizationManager.PruneAsync(DateTimeOffset threshold, CancellationToken cancellationToken)
         => PruneAsync(threshold, cancellationToken);
 
+    /// <inheritdoc/>
+    ValueTask<long> IOpenIddictAuthorizationManager.RevokeByApplicationIdAsync(string identifier, CancellationToken cancellationToken)
+        => RevokeByApplicationIdAsync(identifier, cancellationToken);
+
+    /// <inheritdoc/>
+    ValueTask<long> IOpenIddictAuthorizationManager.RevokeBySubjectAsync(string subject, CancellationToken cancellationToken)
+        => RevokeBySubjectAsync(subject, cancellationToken);
+
     /// <inheritdoc/>
     ValueTask<bool> IOpenIddictAuthorizationManager.TryRevokeAsync(object authorization, CancellationToken cancellationToken)
         => TryRevokeAsync((TAuthorization) authorization, cancellationToken);