Add response_mode=query support for OpenID Connect

src/Microsoft.Owin.Security.OpenIdConnect/Notifications/AuthorizationCodeReceivedNotification.cs

@@ -36,6 +36,11 @@ public AuthorizationCodeReceivedNotification(IOwinContext context, OpenIdConnect
         /// </summary>
         public JwtSecurityToken JwtSecurityToken { get; set; }
 
+        /// <summary>
+        /// The request that will be sent to the token endpoint and is available for customization.
+        /// </summary>
+        public OpenIdConnectMessage TokenEndpointRequest { get; set; }
+
         /// <summary>
         /// Gets or sets the <see cref="OpenIdConnectMessage"/>.
         /// </summary>

src/Microsoft.Owin.Security.OpenIdConnect/OpenIdConnectAuthenticationMiddleware.cs

@@ -67,6 +67,14 @@ public OpenIdConnectAuthenticationMiddleware(OwinMiddleware next, IAppBuilder ap
                 Options.TokenValidationParameters.ValidAudience = Options.ClientId;
             }
 
+            if (Options.Backchannel == null)
+            {
+                Options.Backchannel = new HttpClient(ResolveHttpMessageHandler(Options));
+                Options.Backchannel.DefaultRequestHeaders.UserAgent.ParseAdd("Microsoft ASP.NET Core OpenIdConnect middleware");
+                Options.Backchannel.Timeout = Options.BackchannelTimeout;
+                Options.Backchannel.MaxResponseContentBufferSize = 1024 * 1024 * 10; // 10 MB
+            }
+
             if (Options.ConfigurationManager == null)
             {
                 if (Options.Configuration != null)
@@ -91,13 +99,8 @@ public OpenIdConnectAuthenticationMiddleware(OwinMiddleware next, IAppBuilder ap
                         throw new InvalidOperationException("The MetadataAddress or Authority must use HTTPS unless disabled for development by setting RequireHttpsMetadata=false.");
                     }
 
-                    var backchannel = new HttpClient(ResolveHttpMessageHandler(Options));
-                    backchannel.DefaultRequestHeaders.UserAgent.ParseAdd("Microsoft ASP.NET Core OpenIdConnect middleware");
-                    backchannel.Timeout = Options.BackchannelTimeout;
-                    backchannel.MaxResponseContentBufferSize = 1024 * 1024 * 10; // 10 MB
-
                     Options.ConfigurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(Options.MetadataAddress, new OpenIdConnectConfigurationRetriever(),
-                        new HttpDocumentRetriever(backchannel) { RequireHttps = Options.RequireHttpsMetadata });
+                        new HttpDocumentRetriever(Options.Backchannel) { RequireHttps = Options.RequireHttpsMetadata });
                 }
             }
 

src/Microsoft.Owin.Security.OpenIdConnect/OpenIdConnectAuthenticationOptions.cs

@@ -41,6 +41,7 @@ public OpenIdConnectAuthenticationOptions()
         /// <para>Caption: <see cref="OpenIdConnectAuthenticationDefaults.Caption"/>.</para>
         /// <para>ProtocolValidator: new <see cref="OpenIdConnectProtocolValidator"/>.</para>
         /// <para>RefreshOnIssuerKeyNotFound: true</para>
+        /// <para>ResponseMode: <see cref="OpenIdConnectResponseMode.FormPost"/></para>
         /// <para>ResponseType: <see cref="OpenIdConnectResponseTypes.CodeIdToken"/></para>
         /// <para>Scope: <see cref="OpenIdConnectScopes.OpenIdProfile"/>.</para>
         /// <para>TokenValidationParameters: new <see cref="TokenValidationParameters"/> with AuthenticationType = authenticationType.</para>
@@ -60,6 +61,7 @@ public OpenIdConnectAuthenticationOptions(string authenticationType)
                 NonceLifetime = TimeSpan.FromMinutes(15)
             };
             RefreshOnIssuerKeyNotFound = true;
+            ResponseMode = OpenIdConnectResponseMode.FormPost;
             ResponseType = OpenIdConnectResponseType.CodeIdToken;
             Scope = OpenIdConnectScope.OpenIdProfile;
             SecurityTokenValidator = new JwtSecurityTokenHandler();
@@ -122,6 +124,11 @@ public TimeSpan BackchannelTimeout
             }
         }
 
+        /// <summary>
+        /// Used to communicate with the remote identity provider.
+        /// </summary>
+        public HttpClient Backchannel { get; set; }
+
         /// <summary>
         /// Get or sets the text that the user can display on a sign in user interface.
         /// </summary>
@@ -216,6 +223,11 @@ public OpenIdConnectProtocolValidator ProtocolValidator
         /// </summary>
         public string Resource { get; set; }
 
+        /// <summary>
+        /// Gets or sets the 'response_mode'.
+        /// </summary>
+        public string ResponseMode { get; set; }
+
         /// <summary>
         /// Gets or sets the 'response_type'.
         /// </summary>
@@ -290,6 +302,14 @@ public bool UseTokenLifetime
             set;
         }
 
+        /// <summary>
+        /// Defines whether access and refresh tokens should be stored in the
+        /// <see cref="AuthenticationProperties"/> after a successful authorization.
+        /// This property is set to <c>false</c> by default to reduce
+        /// the size of the final authentication cookie.
+        /// </summary>
+        public bool SaveTokens { get; set; }
+
         /// <summary>
         /// An abstraction for reading and setting cookies during the authentication process.
         /// </summary>