OpenIddict doens't refresh id_token in release mode

Question

When a request like this is made:

https://{redacted}/connect/authorize?client_id=Portal&redirect_uri=https://{redacted}/silent-renew.html&response_type=code&scope=openid profile email&nonce={redacted}&code_challenge={redacted}&code_challenge_method=S256&prompt=none

And the user is already logged in, the process goes and loops through code flow fine, however the tokens are not updated that are returned from the /connect/token when request for the new token is requested at the end of the process like so:

grant_type: authorization_code
client_id: Portal
code_verifier: {redacted}
code: {redacted}
redirect_uri: https://{redacted}/silent-renew.html

In debug it works fine.

I have tried commenting out EnableAuthorizationRequestCaching() (and the policy line too) to no avail.

I'm not sure if this is part of Asp.net identity causing this, or if it's OpenIddict that is the culprit. Before .NET 6 and the update to OpenIddict 3.1 (i.e. version 2 on .net Core 3.1) this wasn't an issue however.

I have implemented IUserStore and forced it to not use the Entity Framework Caching of entities and instead require it to reload at all times (I know, slow) but that didn't fix it either.

How do you force openiddict/identity core to update the tokens in this scenario?

Answer 1

Turns out, because of some pass through code, that we used from a sample, the tokens were only being updated if it was a refresh request. Of course, when doing an authorization using code flow again, this wouldn't execute and the tokens wouldn't be updated.

Removing that, solved the problem.

I'm not sure how this only reared its head in release mode however since it shouldn't have mattered. Perhaps something in the

AuthenticateAsync reloads the principal or something in debug but not in production....