From 158a5788ea15978090b6492d9a827fc93cd2178a Mon Sep 17 00:00:00 2001
From: ToreAad <9218425+ToreAad@users.noreply.github.com>
Date: Wed, 13 Mar 2024 16:19:16 +0100
Subject: [PATCH] Do not throw an exception when the normalized user code is
 empty

---
 src/OpenIddict.Server/OpenIddictServerHandlers.Protection.cs | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Protection.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Protection.cs
index fbef40a1..b1eec109 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Protection.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Protection.cs
@@ -1,4 +1,4 @@
-/*
+/*
  * Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
  * See https://github.com/openiddict/openiddict-core for more information concerning
  * the license and the contributors participating to this project.
@@ -278,7 +278,8 @@ public static partial class OpenIddictServerHandlers
                     // A value higher than 12 (but lower than 50) may correspond to a user code
                     // containing dashes or any other non-digit character added by the end user.
                     // In this case, normalize the reference identifier before making the database lookup.
-                    > 12 and < 50 => await _tokenManager.FindByReferenceIdAsync(NormalizeUserCode(context.Token)),
+                    > 12 and < 50 when NormalizeUserCode(context.Token) is { Length: > 0 } value
+                        => await _tokenManager.FindByReferenceIdAsync(value),
 
                     // If the token length differs, the token cannot be a reference token.
                     _ => null