update models and ui for rtm

Author: brockallen

NuGet.config

@@ -4,7 +4,5 @@
     <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
     <add key="Identity* Dev Feed" value="https://www.myget.org/F/identity/" />
   </packageSources>
-  <disabledPackageSources>
-    <add key="Identity* Dev Feed" value="true" />
-  </disabledPackageSources>
+  <disabledPackageSources />
 </configuration>

src/Host/Configuration/Clients.cs

@@ -160,7 +160,7 @@ public static IEnumerable<Client> Get()
 
                     RedirectUris =  { "http://localhost:44077/signin-oidc" },
                     LogoutUri = "http://localhost:44077/signout-oidc",
-                    PostLogoutRedirectUris = { "http://localhost:44077/" },
+                    PostLogoutRedirectUris = { "http://localhost:44077/signout-callback-oidc" },
 
                     AllowedScopes =
                     {
@@ -208,7 +208,7 @@ public static IEnumerable<Client> Get()
 
                     RedirectUris = { "http://localhost:21402/signin-oidc" },
                     LogoutUri = "http://localhost:21402/signout-oidc",
-                    PostLogoutRedirectUris = { "http://localhost:21402/" },
+                    PostLogoutRedirectUris = { "http://localhost:21402/signout-callback-oidc" },
 
                     AllowOfflineAccess = true,
 
@@ -267,7 +267,7 @@ public static IEnumerable<Client> Get()
                         IdentityServerConstants.StandardScopes.OpenId,
                         IdentityServerConstants.StandardScopes.Profile,
                         IdentityServerConstants.StandardScopes.Email,
-                        "api1", "api2.read_only", "api2.full_access"
+                        "api1", "api2.read_only"
                     },
                 },
             };

src/Host/Configuration/Resources.cs

@@ -29,7 +29,7 @@ public static IEnumerable<ApiResource> GetApiResources()
             return new[]
             {
                 // simple version with ctor
-                new ApiResource("api1", "Your API 1")
+                new ApiResource("api1", "Some API 1")
                 {
                     // this is needed for introspection when using reference tokens
                     ApiSecrets = { new Secret("secret".Sha256()) }
@@ -39,8 +39,6 @@ public static IEnumerable<ApiResource> GetApiResources()
                 new ApiResource
                 {
                     Name = "api2",
-                    DisplayName = "Your API 2",
-                    Description = "Something interesting",
 
                     ApiSecrets =
                     {
@@ -50,6 +48,7 @@ public static IEnumerable<ApiResource> GetApiResources()
                     UserClaims =
                     {
                         JwtClaimTypes.Name,
+                        JwtClaimTypes.Email
                     },
 
                     Scopes =
@@ -58,7 +57,6 @@ public static IEnumerable<ApiResource> GetApiResources()
                         {
                             Name = "api2.full_access",
                             DisplayName = "Full access to API 2",
-                            UserClaims = { "email" }
                         },
                         new Scope
                         {

src/Host/Configuration/Users.cs

@@ -3,20 +3,20 @@
 
 
 using IdentityModel;
+using IdentityServer4.Models;
+using IdentityServer4.Quickstart.UI.Filters;
 using IdentityServer4.Quickstart.UI.Models;
+using IdentityServer4.Quickstart.UI.Users;
 using IdentityServer4.Services;
-using IdentityServer4.Services.InMemory;
+using IdentityServer4.Stores;
 using Microsoft.AspNetCore.Http.Authentication;
 using Microsoft.AspNetCore.Mvc;
 using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Security.Claims;
-using System.Text.Encodings.Web;
+using System.Security.Principal;
 using System.Threading.Tasks;
-using IdentityServer4.Models;
-using IdentityServer4.Stores;
-using Host.Filters;
 
 namespace IdentityServer4.Quickstart.UI.Controllers
 {
@@ -28,16 +28,20 @@ namespace IdentityServer4.Quickstart.UI.Controllers
     [SecurityHeaders]
     public class AccountController : Controller
     {
-        private readonly InMemoryUserLoginService _loginService;
+        private readonly TestUserStore _users;
+
         private readonly IIdentityServerInteractionService _interaction;
         private readonly IClientStore _clientStore;
 
+        // if you want to support Windows authentication, specify the scheme you want to use
+        private readonly string _windowsAuthenticationScheme = "Negotiate";
+
         public AccountController(
-            InMemoryUserLoginService loginService,
+            TestUserStore users,
             IIdentityServerInteractionService interaction,
             IClientStore clientStore)
         {
-            _loginService = loginService;
+            _users = users;
             _interaction = interaction;
             _clientStore = clientStore;
         }
@@ -52,15 +56,15 @@ public async Task<IActionResult> Login(string returnUrl)
             if (context?.IdP != null)
             {
                 // if IdP is passed, then bypass showing the login screen
-                return ExternalLogin(context.IdP, returnUrl);
+                return await ExternalLogin(context.IdP, returnUrl);
             }
 
             var vm = await BuildLoginViewModelAsync(returnUrl, context);
 
             if (vm.EnableLocalLogin == false && vm.ExternalProviders.Count() == 1)
             {
                 // only one option for logging in
-                return ExternalLogin(vm.ExternalProviders.First().AuthenticationScheme, returnUrl);
+                return await ExternalLogin(vm.ExternalProviders.First().AuthenticationScheme, returnUrl);
             }
 
             return View(vm);
@@ -76,10 +80,10 @@ public async Task<IActionResult> Login(LoginInputModel model)
             if (ModelState.IsValid)
             {
                 // validate username/password against in-memory store
-                if (_loginService.ValidateCredentials(model.Username, model.Password))
+                if (_users.ValidateCredentials(model.Username, model.Password))
                 {
                     // issue authentication cookie with subject ID and username
-                    var user = _loginService.FindByUsername(model.Username);
+                    var user = _users.FindByUsername(model.Username);
 
                     AuthenticationProperties props = null;
                     // only set explicit expiration here if persistent. 
@@ -93,7 +97,7 @@ public async Task<IActionResult> Login(LoginInputModel model)
                         };
                     };
 
-                    await HttpContext.Authentication.SignInAsync(user.Subject, user.Username, props);
+                    await HttpContext.Authentication.SignInAsync(user.SubjectId, user.Username, props);
 
                     // make sure the returnUrl is still valid, and if yes - redirect back to authorize endpoint
                     if (_interaction.IsValidReturnUrl(model.ReturnUrl))
@@ -114,13 +118,26 @@ public async Task<IActionResult> Login(LoginInputModel model)
 
         async Task<LoginViewModel> BuildLoginViewModelAsync(string returnUrl, AuthorizationRequest context)
         {
-            var providers = HttpContext.Authentication.GetAuthenticationSchemes()
+            var schemes = HttpContext.Authentication.GetAuthenticationSchemes();
+
+            var providers = schemes
                 .Where(x => x.DisplayName != null)
                 .Select(x => new ExternalProvider
                 {
                     DisplayName = x.DisplayName,
                     AuthenticationScheme = x.AuthenticationScheme
+                }).ToList();
+
+            // add Windows provider if present
+            var windows = schemes.FirstOrDefault(s => s.AuthenticationScheme == _windowsAuthenticationScheme);
+            if (windows != null)
+            {
+                providers.Add(new ExternalProvider
+                {
+                    AuthenticationScheme = _windowsAuthenticationScheme,
+                    DisplayName = "Windows"
                 });
+            }
 
             var allowLocal = true;
             if (context?.ClientId != null)
@@ -132,7 +149,7 @@ async Task<LoginViewModel> BuildLoginViewModelAsync(string returnUrl, Authorizat
 
                     if (client.IdentityProviderRestrictions != null && client.IdentityProviderRestrictions.Any())
                     {
-                        providers = providers.Where(provider => client.IdentityProviderRestrictions.Contains(provider.AuthenticationScheme));
+                        providers = providers.Where(provider => client.IdentityProviderRestrictions.Contains(provider.AuthenticationScheme)).ToList();
                     }
                 }
             }
@@ -202,13 +219,16 @@ public async Task<IActionResult> Logout(LogoutViewModel model)
                     model.LogoutId = await _interaction.CreateLogoutContextAsync();
                 }
 
-                string url = "/Account/Logout?logoutId=" + model.LogoutId;
+                string url = Url.Action("Logout", new { logoutId = model.LogoutId });
                 try
                 {
                     // hack: try/catch to handle social providers that throw
                     await HttpContext.Authentication.SignOutAsync(idp, new AuthenticationProperties { RedirectUri = url });
                 }
-                catch(NotSupportedException)
+                catch(NotSupportedException) // this is for the external providers that don't have signout
+                {
+                }
+                catch(InvalidOperationException) // this is for Windows/Negotiate
                 {
                 }
             }
@@ -217,7 +237,7 @@ public async Task<IActionResult> Logout(LogoutViewModel model)
             await HttpContext.Authentication.SignOutAsync();
 
             // set this so UI rendering sees an anonymous user
-            HttpContext.User = new ClaimsPrincipal(new ClaimsIdentity());
+            ViewData["signed-out"] = true;
 
             // get context information (client name, post logout redirect URI and iframe for federated signout)
             var logout = await _interaction.GetLogoutContextAsync(model.LogoutId);
@@ -236,21 +256,32 @@ public async Task<IActionResult> Logout(LogoutViewModel model)
         /// initiate roundtrip to external authentication provider
         /// </summary>
         [HttpGet]
-        public IActionResult ExternalLogin(string provider, string returnUrl)
+        public async Task<IActionResult> ExternalLogin(string provider, string returnUrl)
         {
-            if (returnUrl != null)
+            returnUrl = Url.Action("ExternalLoginCallback", new { returnUrl = returnUrl });
+
+            if (provider == _windowsAuthenticationScheme && HttpContext.User is WindowsPrincipal)
             {
-                returnUrl = UrlEncoder.Default.Encode(returnUrl);
-            }
-            returnUrl = "/account/externallogincallback?returnUrl=" + returnUrl;
+                var props = new AuthenticationProperties();
+                props.Items.Add("scheme", _windowsAuthenticationScheme);
+
+                var id = new ClaimsIdentity(provider);
+                id.AddClaim(new Claim(ClaimTypes.NameIdentifier, HttpContext.User.Identity.Name));
+                id.AddClaim(new Claim(ClaimTypes.Name, HttpContext.User.Identity.Name));
 
-            // start challenge and roundtrip the return URL
-            var props = new AuthenticationProperties
+                await HttpContext.Authentication.SignInAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme, new ClaimsPrincipal(id), props);
+                return Redirect(returnUrl);
+            }
+            else
             {
-                RedirectUri = returnUrl, 
-                Items = { { "scheme", provider } }
-            };
-            return new ChallengeResult(provider, props);
+                // start challenge and roundtrip the return URL
+                var props = new AuthenticationProperties
+                {
+                    RedirectUri = returnUrl,
+                    Items = { { "scheme", provider } }
+                };
+                return new ChallengeResult(provider, props);
+            }
         }
 
         /// <summary>
@@ -289,12 +320,12 @@ public async Task<IActionResult> ExternalLoginCallback(string returnUrl)
             var userId = userIdClaim.Value;
 
             // check if the external user is already provisioned
-            var user = _loginService.FindByExternalProvider(provider, userId);
+            var user = _users.FindByExternalProvider(provider, userId);
             if (user == null)
             {
                 // this sample simply auto-provisions new external user
                 // another common approach is to start a registrations workflow first
-                user = _loginService.AutoProvisionUser(provider, userId, claims);
+                user = _users.AutoProvisionUser(provider, userId, claims);
             }
 
             var additionalClaims = new List<Claim>();
@@ -307,7 +338,7 @@ public async Task<IActionResult> ExternalLoginCallback(string returnUrl)
             }
 
             // issue authentication cookie for user
-            await HttpContext.Authentication.SignInAsync(user.Subject, user.Username, provider, additionalClaims.ToArray());
+            await HttpContext.Authentication.SignInAsync(user.SubjectId, user.Username, provider, additionalClaims.ToArray());
 
             // delete temporary cookie used during external authentication
             await HttpContext.Authentication.SignOutAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);

src/Host/Controllers/AccountController.cs

@@ -2,15 +2,15 @@
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 
+using IdentityServer4.Models;
+using IdentityServer4.Quickstart.UI.Filters;
+using IdentityServer4.Quickstart.UI.Models;
 using IdentityServer4.Services;
+using IdentityServer4.Stores;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Logging;
 using System.Linq;
 using System.Threading.Tasks;
-using IdentityServer4.Models;
-using IdentityServer4.Stores;
-using IdentityServer4.Quickstart.UI.Models;
-using Host.Filters;
 
 namespace IdentityServer4.Quickstart.UI.Controllers
 {

src/Host/Controllers/ConsentController.cs

@@ -2,7 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 
-using Host.Filters;
+using IdentityServer4.Quickstart.UI.Filters;
 using IdentityServer4.Quickstart.UI.Models;
 using IdentityServer4.Services;
 using Microsoft.AspNetCore.Mvc;

src/Host/Controllers/HomeController.cs

@@ -5,7 +5,7 @@
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Filters;
 
-namespace Host.Filters
+namespace IdentityServer4.Quickstart.UI.Filters
 {
     public class SecurityHeadersAttribute : ActionFilterAttribute
     {

src/Host/Filters/SecurityHeadersAttribute.cs

@@ -38,6 +38,7 @@ protected override void Up(MigrationBuilder migrationBuilder)
                     AllowOfflineAccess = table.Column<bool>(nullable: false),
                     AllowPlainTextPkce = table.Column<bool>(nullable: false),
                     AllowRememberConsent = table.Column<bool>(nullable: false),
+                    AlwaysIncludeUserClaimsInIdToken = table.Column<bool>(nullable: false),
                     AlwaysSendClientClaims = table.Column<bool>(nullable: false),
                     AuthorizationCodeLifetime = table.Column<int>(nullable: false),
                     ClientId = table.Column<string>(maxLength: 200, nullable: false),

src/Host/Migrations/IdentityServer/ConfigurationDb/20161207131859_Config.Designer.cs src/Host/Migrations/IdentityServer/ConfigurationDb/20161221000731_Config.Designer.cs

@@ -13,7 +13,7 @@ partial class ConfigurationDbContextModelSnapshot : ModelSnapshot
         protected override void BuildModel(ModelBuilder modelBuilder)
         {
             modelBuilder
-                .HasAnnotation("ProductVersion", "1.0.1")
+                .HasAnnotation("ProductVersion", "1.1.0-rtm-22752")
                 .HasAnnotation("SqlServer:ValueGenerationStrategy", SqlServerValueGenerationStrategy.IdentityColumn);
 
             modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.ApiResource", b =>
@@ -158,6 +158,8 @@ protected override void BuildModel(ModelBuilder modelBuilder)
 
                     b.Property<bool>("AllowRememberConsent");
 
+                    b.Property<bool>("AlwaysIncludeUserClaimsInIdToken");
+
                     b.Property<bool>("AlwaysSendClientClaims");
 
                     b.Property<int>("AuthorizationCodeLifetime");

src/Host/Migrations/IdentityServer/ConfigurationDb/20161207131859_Config.cs src/Host/Migrations/IdentityServer/ConfigurationDb/20161221000731_Config.cs

@@ -13,7 +13,7 @@ partial class PersistedGrantDbContextModelSnapshot : ModelSnapshot
         protected override void BuildModel(ModelBuilder modelBuilder)
         {
             modelBuilder
-                .HasAnnotation("ProductVersion", "1.0.1")
+                .HasAnnotation("ProductVersion", "1.1.0-rtm-22752")
                 .HasAnnotation("SqlServer:ValueGenerationStrategy", SqlServerValueGenerationStrategy.IdentityColumn);
 
             modelBuilder.Entity("IdentityServer4.EntityFramework.Entities.PersistedGrant", b =>

src/Host/Migrations/IdentityServer/ConfigurationDb/ConfigurationDbContextModelSnapshot.cs

@@ -30,9 +30,9 @@ public void ConfigureServices(IServiceCollection services)
 
             services.AddIdentityServer()
                 .AddTemporarySigningCredential()
-                .AddInMemoryUsers(Users.Get())
                 .AddSecretParser<ClientAssertionSecretParser>()
                 .AddSecretValidator<PrivateKeyJwtSecretValidator>()
+                .AddTestUsers()
 
                 .AddConfigurationStore(builder =>
                     builder.UseSqlServer(connectionString,

src/Host/Migrations/IdentityServer/PersistedGrantDb/20161207131854_Grants.Designer.cs src/Host/Migrations/IdentityServer/PersistedGrantDb/20161221000717_Grants.Designer.cs

@@ -0,0 +1,21 @@
+// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+
+using IdentityServer4.Quickstart.UI.Users;
+using System.Collections.Generic;
+
+namespace Microsoft.Extensions.DependencyInjection
+{
+    public static class IdentityServerBuilderExtensions
+    {
+        public static IIdentityServerBuilder AddTestUsers(this IIdentityServerBuilder builder, List<TestUser> users = null)
+        {
+            builder.Services.AddSingleton(new TestUserStore(users ?? TestUsers.Users));
+            builder.AddProfileService<TestUserProfileService>();
+            builder.AddResourceOwnerValidator<TestUserResourceOwnerPasswordValidator>();
+
+            return builder;
+        }
+    }
+}

src/Host/Migrations/IdentityServer/PersistedGrantDb/20161207131854_Grants.cs src/Host/Migrations/IdentityServer/PersistedGrantDb/20161221000717_Grants.cs

@@ -0,0 +1,46 @@
+// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+
+using IdentityModel;
+using System.Collections.Generic;
+using System.Security.Claims;
+
+namespace IdentityServer4.Quickstart.UI.Users
+{
+    /// <summary>
+    /// In-memory user object for testing. Not intended for modeling users in production.
+    /// </summary>
+    public class TestUser
+    {
+        /// <summary>
+        /// Gets or sets the subject identifier.
+        /// </summary>
+        public string SubjectId { get; set; }
+
+        /// <summary>
+        /// Gets or sets the username.
+        /// </summary>
+        public string Username { get; set; }
+
+        /// <summary>
+        /// Gets or sets the password.
+        /// </summary>
+        public string Password { get; set; }
+
+        /// <summary>
+        /// Gets or sets the provider name.
+        /// </summary>
+        public string ProviderName { get; set; }
+
+        /// <summary>
+        /// Gets or sets the provider subject identifier.
+        /// </summary>
+        public string ProviderSubjectId { get; set; }
+
+        /// <summary>
+        /// Gets or sets the claims.
+        /// </summary>
+        public ICollection<Claim> Claims { get; set; } = new HashSet<Claim>(new ClaimComparer());
+    }
+}

src/Host/Migrations/IdentityServer/PersistedGrantDb/PersistedGrantDbContextModelSnapshot.cs

@@ -0,0 +1,37 @@
+// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+
+using IdentityServer4.Extensions;
+using IdentityServer4.Models;
+using IdentityServer4.Services;
+using System.Threading.Tasks;
+
+namespace IdentityServer4.Quickstart.UI.Users
+{
+    public class TestUserProfileService : IProfileService
+    {
+        private readonly TestUserStore _users;
+
+        public TestUserProfileService(TestUserStore users)
+        {
+            _users = users;
+        }
+
+        public Task GetProfileDataAsync(ProfileDataRequestContext context)
+        {
+            var user = _users.FindBySubjectId(context.Subject.GetSubjectId());
+
+            context.AddFilteredClaims(user.Claims);
+
+            return Task.FromResult(0);
+        }
+
+        public Task IsActiveAsync(IsActiveContext context)
+        {
+            context.IsActive = true;
+
+            return Task.FromResult(0);
+        }
+    }
+}

src/Host/Models/LoggedOutViewModel.cs src/Host/Models/Account/LoggedOutViewModel.cs

@@ -0,0 +1,31 @@
+// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+
+using IdentityModel;
+using IdentityServer4.Validation;
+using System.Threading.Tasks;
+
+namespace IdentityServer4.Quickstart.UI.Users
+{
+    public class TestUserResourceOwnerPasswordValidator : IResourceOwnerPasswordValidator
+    {
+        private readonly TestUserStore _users;
+
+        public TestUserResourceOwnerPasswordValidator(TestUserStore users)
+        {
+            _users = users;
+        }
+
+        public Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
+        {
+            if (_users.ValidateCredentials(context.UserName, context.Password))
+            {
+                var user = _users.FindByUsername(context.UserName);
+                context.Result = new GrantValidationResult(user.SubjectId, OidcConstants.AuthenticationMethods.Password, user.Claims);
+            }
+
+            return Task.FromResult(0);
+        }
+    }
+}

src/Host/Models/LoginInputModel.cs src/Host/Models/Account/LoginInputModel.cs

@@ -0,0 +1,116 @@
+// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+
+using IdentityModel;
+using System.Collections.Generic;
+using System.IdentityModel.Tokens.Jwt;
+using System.Linq;
+using System.Security.Claims;
+using System;
+
+namespace IdentityServer4.Quickstart.UI.Users
+{
+    public class TestUserStore
+    {
+        private readonly List<TestUser> _users;
+
+        public TestUserStore(List<TestUser> users)
+        {
+            _users = users;
+        }
+
+        public bool ValidateCredentials(string username, string password)
+        {
+            var user = FindByUsername(username);
+            if (user != null)
+            {
+                return user.Password.Equals(password);
+            }
+
+            return false;
+        }
+
+        public TestUser FindBySubjectId(string subjectId)
+        {
+            return _users.FirstOrDefault(x => x.SubjectId == subjectId);
+        }
+
+        public TestUser FindByUsername(string username)
+        {
+            return _users.FirstOrDefault(x => x.Username.Equals(username, StringComparison.OrdinalIgnoreCase));
+        }
+
+        public TestUser FindByExternalProvider(string provider, string userId)
+        {
+            return _users.FirstOrDefault(x =>
+                x.ProviderName == provider &&
+                x.ProviderSubjectId == userId);
+        }
+
+        public TestUser AutoProvisionUser(string provider, string userId, List<Claim> claims)
+        {
+            // create a list of claims that we want to transfer into our store
+            var filtered = new List<Claim>();
+
+            foreach (var claim in claims)
+            {
+                // if the external system sends a display name - translate that to the standard OIDC name claim
+                if (claim.Type == ClaimTypes.Name)
+                {
+                    filtered.Add(new Claim(JwtClaimTypes.Name, claim.Value));
+                }
+                // if the JWT handler has an outbound mapping to an OIDC claim use that
+                else if (JwtSecurityTokenHandler.DefaultOutboundClaimTypeMap.ContainsKey(claim.Type))
+                {
+                    filtered.Add(new Claim(JwtSecurityTokenHandler.DefaultOutboundClaimTypeMap[claim.Type], claim.Value));
+                }
+                // copy the claim as-is
+                else
+                {
+                    filtered.Add(claim);
+                }
+            }
+
+            // if no display name was provided, try to construct by first and/or last name
+            if (!filtered.Any(x => x.Type == JwtClaimTypes.Name))
+            {
+                var first = filtered.FirstOrDefault(x => x.Type == JwtClaimTypes.GivenName)?.Value;
+                var last = filtered.FirstOrDefault(x => x.Type == JwtClaimTypes.FamilyName)?.Value;
+                if (first != null && last != null)
+                {
+                    filtered.Add(new Claim(JwtClaimTypes.Name, first + " " + last));
+                }
+                else if (first != null)
+                {
+                    filtered.Add(new Claim(JwtClaimTypes.Name, first));
+                }
+                else if (last != null)
+                {
+                    filtered.Add(new Claim(JwtClaimTypes.Name, last));
+                }
+            }
+
+            // create a new unique subject id
+            var sub = CryptoRandom.CreateUniqueId();
+
+            // check if a display name is available, otherwise fallback to subject id
+            var name = filtered.FirstOrDefault(c => c.Type == JwtClaimTypes.Name)?.Value ?? sub;
+
+            // create new user
+            var user = new TestUser()
+            {
+                SubjectId = sub,
+                Username = name,
+                ProviderName = provider,
+                ProviderSubjectId = userId,
+                Claims = filtered
+            };
+
+            // add user to in-memory store
+            _users.Add(user);
+
+            return user;
+        }
+    }
+}

src/Host/Models/LoginViewModel.cs src/Host/Models/Account/LoginViewModel.cs

@@ -0,0 +1,42 @@
+// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+
+using IdentityModel;
+using System.Collections.Generic;
+using System.Security.Claims;
+
+namespace IdentityServer4.Quickstart.UI.Users
+{
+    public class TestUsers
+    {
+        public static List<TestUser> Users = new List<TestUser>
+        {
+            new TestUser{SubjectId = "818727", Username = "alice", Password = "alice", 
+                Claims = 
+                {
+                    new Claim(JwtClaimTypes.Name, "Alice Smith"),
+                    new Claim(JwtClaimTypes.GivenName, "Alice"),
+                    new Claim(JwtClaimTypes.FamilyName, "Smith"),
+                    new Claim(JwtClaimTypes.Email, "AliceSmith@email.com"),
+                    new Claim(JwtClaimTypes.EmailVerified, "true", ClaimValueTypes.Boolean),
+                    new Claim(JwtClaimTypes.WebSite, "http://alice.com"),
+                    new Claim(JwtClaimTypes.Address, @"{ 'street_address': 'One Hacker Way', 'locality': 'Heidelberg', 'postal_code': 69118, 'country': 'Germany' }", IdentityServerConstants.ClaimValueTypes.Json)
+                }
+            },
+            new TestUser{SubjectId = "88421113", Username = "bob", Password = "bob", 
+                Claims = 
+                {
+                    new Claim(JwtClaimTypes.Name, "Bob Smith"),
+                    new Claim(JwtClaimTypes.GivenName, "Bob"),
+                    new Claim(JwtClaimTypes.FamilyName, "Smith"),
+                    new Claim(JwtClaimTypes.Email, "BobSmith@email.com"),
+                    new Claim(JwtClaimTypes.EmailVerified, "true", ClaimValueTypes.Boolean),
+                    new Claim(JwtClaimTypes.WebSite, "http://bob.com"),
+                    new Claim(JwtClaimTypes.Address, @"{ 'street_address': 'One Hacker Way', 'locality': 'Heidelberg', 'postal_code': 69118, 'country': 'Germany' }", IdentityServerConstants.ClaimValueTypes.Json),
+                    new Claim("location", "somewhere"),
+                }
+            },
+        };
+    }
+}

src/Host/Models/LogoutViewModel.cs src/Host/Models/Account/LogoutViewModel.cs

@@ -1,4 +1,4 @@
-@model IdentityServer4.Quickstart.UI.Models.LoggedOutViewModel
+@model LoggedOutViewModel
 
 <div class="page-header logged-out">
     <h1>

src/Host/Models/ConsentInputModel.cs src/Host/Models/Consent/ConsentInputModel.cs

@@ -1,4 +1,4 @@
-@model IdentityServer4.Quickstart.UI.Models.LoginViewModel
+@model LoginViewModel
 
 <div class="login-page">
     <div class="page-header">

src/Host/Models/ConsentViewModel.cs src/Host/Models/Consent/ConsentViewModel.cs

@@ -1,4 +1,4 @@
-@model IdentityServer4.Quickstart.UI.Models.LogoutViewModel
+@model LogoutViewModel
 
 <div class="logout-page">
     <div class="page-header">

src/Host/Models/ErrorViewModel.cs src/Host/Models/Home/ErrorViewModel.cs

@@ -1,4 +1,4 @@
-@model IdentityServer4.Quickstart.UI.Models.ConsentViewModel
+@model ConsentViewModel
 
 <div class="page-consent">
     <div class="row page-header">

src/Host/Startup.cs

@@ -1,4 +1,4 @@
-@model IdentityServer4.Quickstart.UI.Models.ScopeViewModel
+@model ScopeViewModel
 
 <li class="list-group-item">
     <label>

src/Host/Users/IdentityServerBuilderExtensions.cs

@@ -1,4 +1,4 @@
-@model IdentityServer4.Quickstart.UI.Models.ErrorViewModel
+@model ErrorViewModel
 
 @{
     var error = Model?.Error?.Error;

src/Host/Users/TestUser.cs

@@ -1,4 +1,13 @@
-<!DOCTYPE html>
+@using IdentityServer4.Extensions
+@{ 
+    string name = null;
+    if (!true.Equals(ViewData["signed-out"]))
+    {
+        var user = await Context.GetIdentityServerUserAsync();
+        name = user?.FindFirst("name")?.Value;
+    }
+}
+<!DOCTYPE html>
 <html>
 <head>
     <meta charset="utf-8" />
@@ -27,11 +36,11 @@
                 </a>
             </div>
 
-            @if (User.Identity.IsAuthenticated)
+            @if (name != null)
             {
                 <ul class="nav navbar-nav">
                     <li class="dropdown">
-                        <a href="#" class="dropdown-toggle" data-toggle="dropdown">@User.Identity.Name <b class="caret"></b></a>
+                        <a href="#" class="dropdown-toggle" data-toggle="dropdown">@name <b class="caret"></b></a>
                         <ul class="dropdown-menu">
                             <li><a asp-action="Logout" asp-controller="Account">Logout</a></li>
                         </ul>

src/Host/Users/TestUserProfileService.cs

@@ -1 +1,2 @@
-@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers
+@using IdentityServer4.Quickstart.UI.Models
+@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers

src/Host/Users/TestUserResourceOwnerPasswordValidator.cs

@@ -21,6 +21,7 @@ public class Client
         public string LogoUri { get; set; }
         public bool RequireConsent { get; set; } = true;
         public bool AllowRememberConsent { get; set; } = true;
+        public bool AlwaysIncludeUserClaimsInIdToken { get; set; }
         public List<ClientGrantType> AllowedGrantTypes { get; set; }
         public bool RequirePkce { get; set; }
         public bool AllowPlainTextPkce { get; set; }

src/Host/Users/TestUserStore.cs

@@ -13,7 +13,7 @@ public class PersistedGrant
         public string SubjectId { get; set; }
         public string ClientId { get; set; }
         public DateTime CreationTime { get; set; }
-        public DateTime Expiration { get; set; }
+        public DateTime? Expiration { get; set; }
         public string Data { get; set; }
     }
 }

src/Host/Users/TestUsers.cs

@@ -11,7 +11,7 @@
   },
 
   "dependencies": {
-    "IdentityServer4": "1.0.0-rc5",
+    "IdentityServer4": "1.0.0-rc5-build00613",
     "Microsoft.EntityFrameworkCore": "1.1.0",
     "Microsoft.EntityFrameworkCore.Relational": "1.1.0",
     "AutoMapper": "5.1.1"

src/Host/Views/Account/LoggedOut.cshtml

@@ -213,7 +213,7 @@ public void Store_should_update_record_if_key_already_exists(DbContextOptions<Pe
                 context.SaveChanges();
             }
 
-            var newDate = persistedGrant.Expiration.AddHours(1);
+            var newDate = persistedGrant.Expiration.Value.AddHours(1);
             using (var context = new PersistedGrantDbContext(options, StoreOptions))
             {
                 var store = new PersistedGrantStore(context, FakeLogger<PersistedGrantStore>.Create());