idp not set in IUserService.IsActiveAsync on validating subject in refresh

[mbubnich]

Is there a reason that the identity provider claim (idp) is not set when a refresh token is used to get a new access token in the call to IUserService.IsActiveAsync?

I have an implementation of an IUserService that depending on a configuration value in the client will authenticate the user in different ways against different sets of users (i.e. a custom identity provider based on the client).

To achieve this when the authentication request arrives based on the client id I load the client from the IClientStore. I have extended the client with an IdentityProvider property, using this property I then load an appropriate IIdentityProvider (this interface is basically a copy of the IUserService) and delegate the call to the loaded IIdentityProvider. This identity provider sets the IdentityProvider in the returned AuthenticateResult resulting in the idp claim being set in the ClaimsPrincipal. This idp claim is then used to load the appropriate provider in subsequent call's to GetProfileDataAsync and IsActiveAsync. However when a refresh token is used the call to IsActiveAsync only has the subject id claim, as the subject id can be repeated in different identity providers and provides no indication as to what provider it relates to the call cannot be delegated to an IIdentityProvider.

To work around this I have prepended onto the subject id the provider followed by a '-' that I can then use to workout the appropriate provider. This feels a bit like a hack and I am wondering if I am doing something fundamentally wrong or if there is something I am missing?

[leastprivilege]

Thanks! Working on it.

[leastprivilege]

pushed to nuget v1.0.1