From 20005d63cc13d6249dd797f65cf0e7b8fa365509 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Mon, 26 Sep 2022 15:23:48 +0200
Subject: [PATCH] Prevent adding multiple client registrations using the same
 issuer

---
 .../OpenIddictResources.resx                  |  3 ++
 .../Primitives/OpenIddictExtensions.cs        | 28 +++++++++----------
 .../OpenIddictClientBuilder.cs                |  4 +--
 .../OpenIddictClientConfiguration.cs          | 10 ++++++-
 .../OpenIddictClientDispatcher.cs             |  2 +-
 .../Managers/OpenIddictApplicationManager.cs  |  2 +-
 .../Managers/OpenIddictScopeManager.cs        |  4 +--
 ...IddictEntityFrameworkAuthorizationStore.cs |  2 +-
 .../OpenIddictEntityFrameworkTokenStore.cs    |  2 +-
 ...ctEntityFrameworkCoreAuthorizationStore.cs |  2 +-
 ...OpenIddictEntityFrameworkCoreTokenStore.cs |  2 +-
 ...ServerAspNetCoreHandlers.Authentication.cs |  2 +-
 ...nIddictServerAspNetCoreHandlers.Session.cs |  2 +-
 ...IddictServerOwinHandlers.Authentication.cs |  2 +-
 .../OpenIddictServerOwinHandlers.Session.cs   |  2 +-
 .../OpenIddictServerBuilder.cs                |  4 +--
 .../OpenIddictServerConfiguration.cs          | 26 ++++++++---------
 .../OpenIddictServerDispatcher.cs             |  2 +-
 ...OpenIddictServerHandlers.Authentication.cs |  8 +++---
 .../OpenIddictServerHandlers.Device.cs        |  4 +--
 .../OpenIddictServerHandlers.Discovery.cs     |  4 +--
 .../OpenIddictServerHandlers.Exchange.cs      |  6 ++--
 .../OpenIddictServerHandlers.Protection.cs    |  2 +-
 .../OpenIddictValidationBuilder.cs            |  2 +-
 .../OpenIddictValidationConfiguration.cs      |  2 +-
 .../OpenIddictValidationDispatcher.cs         |  2 +-
 ...OpenIddictValidationHandlers.Protection.cs |  4 +--
 .../OpenIddictServerIntegrationTestClient.cs  | 12 ++++----
 ...enIddictValidationIntegrationTestClient.cs | 12 ++++----
 29 files changed, 85 insertions(+), 74 deletions(-)

diff --git a/src/OpenIddict.Abstractions/OpenIddictResources.resx b/src/OpenIddict.Abstractions/OpenIddictResources.resx
index 0dac8974..f71a0ea4 100644
--- a/src/OpenIddict.Abstractions/OpenIddictResources.resx
+++ b/src/OpenIddict.Abstractions/OpenIddictResources.resx
@@ -1322,6 +1322,9 @@ Alternatively, you can disable the token storage feature by calling 'services.Ad
   <data name="ID0341" xml:space="preserve">
     <value>No issuer was specified in the sign-out properties. When multiple clients are registered, an issuer must be specified in the sign-out properties.</value>
   </data>
+  <data name="ID0342" xml:space="preserve">
+    <value>Identical issuers cannot be used in multiple client registrations.</value>
+  </data>
   <data name="ID2000" xml:space="preserve">
     <value>The security token is missing.</value>
   </data>
diff --git a/src/OpenIddict.Abstractions/Primitives/OpenIddictExtensions.cs b/src/OpenIddict.Abstractions/Primitives/OpenIddictExtensions.cs
index a627c7fc..73ac83d2 100644
--- a/src/OpenIddict.Abstractions/Primitives/OpenIddictExtensions.cs
+++ b/src/OpenIddict.Abstractions/Primitives/OpenIddictExtensions.cs
@@ -176,7 +176,7 @@ public static class OpenIddictExtensions
         }
 
         var segment = Trim(new StringSegment(request.ResponseType), Separators.Space);
-        if (segment.Length == 0)
+        if (segment.Length is 0)
         {
             return false;
         }
@@ -203,7 +203,7 @@ public static class OpenIddictExtensions
         }
 
         var segment = Trim(new StringSegment(request.ResponseType), Separators.Space);
-        if (segment.Length == 0)
+        if (segment.Length is 0)
         {
             return false;
         }
@@ -235,7 +235,7 @@ public static class OpenIddictExtensions
         foreach (var element in new StringTokenizer(request.ResponseType, Separators.Space))
         {
             var segment = Trim(element, Separators.Space);
-            if (segment.Length == 0)
+            if (segment.Length is 0)
             {
                 continue;
             }
@@ -289,7 +289,7 @@ public static class OpenIddictExtensions
         foreach (var element in new StringTokenizer(request.ResponseType, Separators.Space))
         {
             var segment = Trim(element, Separators.Space);
-            if (segment.Length == 0)
+            if (segment.Length is 0)
             {
                 continue;
             }
@@ -649,7 +649,7 @@ public static class OpenIddictExtensions
             var claims = group.ToList();
 
             var destinations = new HashSet<string>(claims[0].GetDestinations(), StringComparer.OrdinalIgnoreCase);
-            if (destinations.Count != 0)
+            if (destinations.Count is not 0)
             {
                 // Ensure the other claims of the same type use the same exact destinations.
                 for (var index = 0; index < claims.Count; index++)
@@ -686,7 +686,7 @@ public static class OpenIddictExtensions
             var claims = group.ToList();
 
             var destinations = new HashSet<string>(claims[0].GetDestinations(), StringComparer.OrdinalIgnoreCase);
-            if (destinations.Count != 0)
+            if (destinations.Count is not 0)
             {
                 // Ensure the other claims of the same type use the same exact destinations.
                 for (var index = 0; index < claims.Count; index++)
@@ -2910,7 +2910,7 @@ public static class OpenIddictExtensions
 
     private static ImmutableArray<string> GetValues(string? source, char[] separators)
     {
-        Debug.Assert(separators is not null && separators.Length != 0, SR.GetResourceString(SR.ID4001));
+        Debug.Assert(separators is { Length: > 0 }, SR.GetResourceString(SR.ID4001));
 
         if (string.IsNullOrEmpty(source))
         {
@@ -2922,7 +2922,7 @@ public static class OpenIddictExtensions
         foreach (var element in new StringTokenizer(source, separators))
         {
             var segment = Trim(element, separators);
-            if (segment.Length == 0)
+            if (segment.Length is 0)
             {
                 continue;
             }
@@ -2941,7 +2941,7 @@ public static class OpenIddictExtensions
     private static bool HasValue(string? source, string value, char[] separators)
     {
         Debug.Assert(!string.IsNullOrEmpty(value), SR.GetResourceString(SR.ID4002));
-        Debug.Assert(separators is not null && separators.Length != 0, SR.GetResourceString(SR.ID4001));
+        Debug.Assert(separators is { Length: > 0 }, SR.GetResourceString(SR.ID4001));
 
         if (string.IsNullOrEmpty(source))
         {
@@ -2951,7 +2951,7 @@ public static class OpenIddictExtensions
         foreach (var element in new StringTokenizer(source, separators))
         {
             var segment = Trim(element, separators);
-            if (segment.Length == 0)
+            if (segment.Length is 0)
             {
                 continue;
             }
@@ -2967,7 +2967,7 @@ public static class OpenIddictExtensions
 
     private static StringSegment TrimStart(StringSegment segment, char[] separators)
     {
-        Debug.Assert(separators is not null && separators.Length != 0, SR.GetResourceString(SR.ID4001));
+        Debug.Assert(separators is { Length: > 0 }, SR.GetResourceString(SR.ID4001));
 
         var index = segment.Offset;
 
@@ -2986,7 +2986,7 @@ public static class OpenIddictExtensions
 
     private static StringSegment TrimEnd(StringSegment segment, char[] separators)
     {
-        Debug.Assert(separators is not null && separators.Length != 0, SR.GetResourceString(SR.ID4001));
+        Debug.Assert(separators is { Length: > 0 }, SR.GetResourceString(SR.ID4001));
 
         var index = segment.Offset + segment.Length - 1;
 
@@ -3005,14 +3005,14 @@ public static class OpenIddictExtensions
 
     private static StringSegment Trim(StringSegment segment, char[] separators)
     {
-        Debug.Assert(separators is not null && separators.Length != 0, SR.GetResourceString(SR.ID4001));
+        Debug.Assert(separators is { Length: > 0 }, SR.GetResourceString(SR.ID4001));
 
         return TrimEnd(TrimStart(segment, separators), separators);
     }
 
     private static bool IsSeparator(char character, char[] separators)
     {
-        Debug.Assert(separators is not null && separators.Length != 0, SR.GetResourceString(SR.ID4001));
+        Debug.Assert(separators is { Length: > 0 }, SR.GetResourceString(SR.ID4001));
 
         for (var index = 0; index < separators!.Length; index++)
         {
diff --git a/src/OpenIddict.Client/OpenIddictClientBuilder.cs b/src/OpenIddict.Client/OpenIddictClientBuilder.cs
index 3253ff4f..b8215768 100644
--- a/src/OpenIddict.Client/OpenIddictClientBuilder.cs
+++ b/src/OpenIddict.Client/OpenIddictClientBuilder.cs
@@ -366,7 +366,7 @@ public class OpenIddictClientBuilder
         if (certificate.Version >= 3)
         {
             var extensions = certificate.Extensions.OfType<X509KeyUsageExtension>().ToList();
-            if (extensions.Count != 0 && !extensions.Any(extension => extension.KeyUsages.HasFlag(X509KeyUsageFlags.KeyEncipherment)))
+            if (extensions.Count is not 0 && !extensions.Any(extension => extension.KeyUsages.HasFlag(X509KeyUsageFlags.KeyEncipherment)))
             {
                 throw new InvalidOperationException(SR.GetResourceString(SR.ID0060));
             }
@@ -794,7 +794,7 @@ public class OpenIddictClientBuilder
         if (certificate.Version >= 3)
         {
             var extensions = certificate.Extensions.OfType<X509KeyUsageExtension>().ToList();
-            if (extensions.Count != 0 && !extensions.Any(extension => extension.KeyUsages.HasFlag(X509KeyUsageFlags.DigitalSignature)))
+            if (extensions.Count is not 0 && !extensions.Any(extension => extension.KeyUsages.HasFlag(X509KeyUsageFlags.DigitalSignature)))
             {
                 throw new InvalidOperationException(SR.GetResourceString(SR.ID0070));
             }
diff --git a/src/OpenIddict.Client/OpenIddictClientConfiguration.cs b/src/OpenIddict.Client/OpenIddictClientConfiguration.cs
index 49570464..8d14da58 100644
--- a/src/OpenIddict.Client/OpenIddictClientConfiguration.cs
+++ b/src/OpenIddict.Client/OpenIddictClientConfiguration.cs
@@ -99,6 +99,14 @@ public class OpenIddictClientConfiguration : IPostConfigureOptions<OpenIddictCli
             }
         }
 
+        // Ensure issuers are not used in multiple client registrations.
+        if (options.Registrations.Count != options.Registrations.Select(registration => registration.Issuer)
+                                                                .Distinct()
+                                                                .Count())
+        {
+            throw new InvalidOperationException(SR.GetResourceString(SR.ID0342));
+        }
+
         // Sort the handlers collection using the order associated with each handler.
         options.Handlers.Sort((left, right) => left.Order.CompareTo(right.Order));
 
@@ -135,7 +143,7 @@ public class OpenIddictClientConfiguration : IPostConfigureOptions<OpenIddictCli
             (SecurityKey, SymmetricSecurityKey) => 1,
 
             // If one of the keys is backed by a X.509 certificate, don't prefer it if it's not valid yet.
-            (X509SecurityKey first, SecurityKey) when first.Certificate.NotBefore > DateTime.Now => 1,
+            (X509SecurityKey first, SecurityKey)  when first.Certificate.NotBefore  > DateTime.Now => 1,
             (SecurityKey, X509SecurityKey second) when second.Certificate.NotBefore > DateTime.Now => 1,
 
             // If the two keys are backed by a X.509 certificate, prefer the one with the furthest expiration date.
diff --git a/src/OpenIddict.Client/OpenIddictClientDispatcher.cs b/src/OpenIddict.Client/OpenIddictClientDispatcher.cs
index 6c9fa60d..3f2bcda2 100644
--- a/src/OpenIddict.Client/OpenIddictClientDispatcher.cs
+++ b/src/OpenIddict.Client/OpenIddictClientDispatcher.cs
@@ -85,7 +85,7 @@ public class OpenIddictClientDispatcher : IOpenIddictClientDispatcher
         {
             // Note: the descriptors collection is sorted during options initialization for performance reasons.
             var descriptors = _options.CurrentValue.Handlers;
-            if (descriptors.Count == 0)
+            if (descriptors.Count is 0)
             {
                 yield break;
             }
diff --git a/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs b/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs
index 462edd6e..d072cea2 100644
--- a/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs
+++ b/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs
@@ -560,7 +560,7 @@ public class OpenIddictApplicationManager<TApplication> : IOpenIddictApplication
         }
 
         var names = await Store.GetDisplayNamesAsync(application, cancellationToken);
-        if (names is null || names.Count == 0)
+        if (names is not { Count: > 0 })
         {
             return ImmutableDictionary.Create<CultureInfo, string>();
         }
diff --git a/src/OpenIddict.Core/Managers/OpenIddictScopeManager.cs b/src/OpenIddict.Core/Managers/OpenIddictScopeManager.cs
index c01c051a..0ddbb395 100644
--- a/src/OpenIddict.Core/Managers/OpenIddictScopeManager.cs
+++ b/src/OpenIddict.Core/Managers/OpenIddictScopeManager.cs
@@ -430,7 +430,7 @@ public class OpenIddictScopeManager<TScope> : IOpenIddictScopeManager where TSco
         }
 
         var descriptions = await Store.GetDescriptionsAsync(scope, cancellationToken);
-        if (descriptions is null || descriptions.Count == 0)
+        if (descriptions is not { Count: > 0 })
         {
             return ImmutableDictionary.Create<CultureInfo, string>();
         }
@@ -475,7 +475,7 @@ public class OpenIddictScopeManager<TScope> : IOpenIddictScopeManager where TSco
         }
 
         var names = await Store.GetDisplayNamesAsync(scope, cancellationToken);
-        if (names is null || names.Count == 0)
+        if (names is not { Count: > 0 })
         {
             return ImmutableDictionary.Create<CultureInfo, string>();
         }
diff --git a/src/OpenIddict.EntityFramework/Stores/OpenIddictEntityFrameworkAuthorizationStore.cs b/src/OpenIddict.EntityFramework/Stores/OpenIddictEntityFrameworkAuthorizationStore.cs
index 315fd3f4..74974654 100644
--- a/src/OpenIddict.EntityFramework/Stores/OpenIddictEntityFrameworkAuthorizationStore.cs
+++ b/src/OpenIddict.EntityFramework/Stores/OpenIddictEntityFrameworkAuthorizationStore.cs
@@ -638,7 +638,7 @@ public class OpenIddictEntityFrameworkAuthorizationStore<TAuthorization, TApplic
                        orderby authorization.Id
                        select authorization).Take(1_000).ToListAsync(cancellationToken);
 
-            if (authorizations.Count == 0)
+            if (authorizations.Count is 0)
             {
                 break;
             }
diff --git a/src/OpenIddict.EntityFramework/Stores/OpenIddictEntityFrameworkTokenStore.cs b/src/OpenIddict.EntityFramework/Stores/OpenIddictEntityFrameworkTokenStore.cs
index 0d7bcd81..23b7a0ad 100644
--- a/src/OpenIddict.EntityFramework/Stores/OpenIddictEntityFrameworkTokenStore.cs
+++ b/src/OpenIddict.EntityFramework/Stores/OpenIddictEntityFrameworkTokenStore.cs
@@ -624,7 +624,7 @@ public class OpenIddictEntityFrameworkTokenStore<TToken, TApplication, TAuthoriz
                  orderby token.Id
                  select token).Take(1_000).ToListAsync(cancellationToken);
 
-            if (tokens.Count == 0)
+            if (tokens.Count is 0)
             {
                 break;
             }
diff --git a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictEntityFrameworkCoreAuthorizationStore.cs b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictEntityFrameworkCoreAuthorizationStore.cs
index b1ea0f36..7d4dca79 100644
--- a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictEntityFrameworkCoreAuthorizationStore.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictEntityFrameworkCoreAuthorizationStore.cs
@@ -716,7 +716,7 @@ public class OpenIddictEntityFrameworkCoreAuthorizationStore<TAuthorization, TAp
                        orderby authorization.Id
                        select authorization).Take(1_000).ToListAsync(cancellationToken);
 
-            if (authorizations.Count == 0)
+            if (authorizations.Count is 0)
             {
                 break;
             }
diff --git a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictEntityFrameworkCoreTokenStore.cs b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictEntityFrameworkCoreTokenStore.cs
index aa39b2f4..97cd5005 100644
--- a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictEntityFrameworkCoreTokenStore.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictEntityFrameworkCoreTokenStore.cs
@@ -684,7 +684,7 @@ public class OpenIddictEntityFrameworkCoreTokenStore<TToken, TApplication, TAuth
                  orderby token.Id
                  select token).Take(1_000).ToListAsync(cancellationToken);
 
-            if (tokens.Count == 0)
+            if (tokens.Count is 0)
             {
                 break;
             }
diff --git a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Authentication.cs b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Authentication.cs
index 814f3926..cf426ad0 100644
--- a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Authentication.cs
+++ b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Authentication.cs
@@ -200,7 +200,7 @@ public static partial class OpenIddictServerAspNetCoreHandlers
                 // Don't cache the request if the request doesn't include any parameter.
                 // If a request_id parameter can be found in the authorization request,
                 // ignore the following logic to prevent an infinite redirect loop.
-                if (context.Request.Count == 0 || !string.IsNullOrEmpty(context.Request.RequestId))
+                if (context.Request.Count is 0 || !string.IsNullOrEmpty(context.Request.RequestId))
                 {
                     return;
                 }
diff --git a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Session.cs b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Session.cs
index 904c81ee..94d74586 100644
--- a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Session.cs
+++ b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Session.cs
@@ -197,7 +197,7 @@ public static partial class OpenIddictServerAspNetCoreHandlers
                 // Don't cache the request if the request doesn't include any parameter.
                 // If a request_id parameter can be found in the logout request,
                 // ignore the following logic to prevent an infinite redirect loop.
-                if (context.Request.Count == 0 || !string.IsNullOrEmpty(context.Request.RequestId))
+                if (context.Request.Count is 0 || !string.IsNullOrEmpty(context.Request.RequestId))
                 {
                     return;
                 }
diff --git a/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Authentication.cs b/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Authentication.cs
index fc37c3e8..0da58b5b 100644
--- a/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Authentication.cs
+++ b/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Authentication.cs
@@ -196,7 +196,7 @@ public static partial class OpenIddictServerOwinHandlers
                 // Don't cache the request if the request doesn't include any parameter.
                 // If a request_id parameter can be found in the authorization request,
                 // ignore the following logic to prevent an infinite redirect loop.
-                if (context.Request.Count == 0 || !string.IsNullOrEmpty(context.Request.RequestId))
+                if (context.Request.Count is 0 || !string.IsNullOrEmpty(context.Request.RequestId))
                 {
                     return;
                 }
diff --git a/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Session.cs b/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Session.cs
index 8f91b3e3..c8656256 100644
--- a/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Session.cs
+++ b/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Session.cs
@@ -194,7 +194,7 @@ public static partial class OpenIddictServerOwinHandlers
                 // Don't cache the request if the request doesn't include any parameter.
                 // If a request_id parameter can be found in the logout request,
                 // ignore the following logic to prevent an infinite redirect loop.
-                if (context.Request.Count == 0 || !string.IsNullOrEmpty(context.Request.RequestId))
+                if (context.Request.Count is 0 || !string.IsNullOrEmpty(context.Request.RequestId))
                 {
                     return;
                 }
diff --git a/src/OpenIddict.Server/OpenIddictServerBuilder.cs b/src/OpenIddict.Server/OpenIddictServerBuilder.cs
index 127e0b26..405a6e6b 100644
--- a/src/OpenIddict.Server/OpenIddictServerBuilder.cs
+++ b/src/OpenIddict.Server/OpenIddictServerBuilder.cs
@@ -375,7 +375,7 @@ public class OpenIddictServerBuilder
         if (certificate.Version >= 3)
         {
             var extensions = certificate.Extensions.OfType<X509KeyUsageExtension>().ToList();
-            if (extensions.Count != 0 && !extensions.Any(extension => extension.KeyUsages.HasFlag(X509KeyUsageFlags.KeyEncipherment)))
+            if (extensions.Count is not 0 && !extensions.Any(extension => extension.KeyUsages.HasFlag(X509KeyUsageFlags.KeyEncipherment)))
             {
                 throw new InvalidOperationException(SR.GetResourceString(SR.ID0060));
             }
@@ -803,7 +803,7 @@ public class OpenIddictServerBuilder
         if (certificate.Version >= 3)
         {
             var extensions = certificate.Extensions.OfType<X509KeyUsageExtension>().ToList();
-            if (extensions.Count != 0 && !extensions.Any(extension => extension.KeyUsages.HasFlag(X509KeyUsageFlags.DigitalSignature)))
+            if (extensions.Count is not 0 && !extensions.Any(extension => extension.KeyUsages.HasFlag(X509KeyUsageFlags.DigitalSignature)))
             {
                 throw new InvalidOperationException(SR.GetResourceString(SR.ID0070));
             }
diff --git a/src/OpenIddict.Server/OpenIddictServerConfiguration.cs b/src/OpenIddict.Server/OpenIddictServerConfiguration.cs
index d0f0a2fb..3c11230f 100644
--- a/src/OpenIddict.Server/OpenIddictServerConfiguration.cs
+++ b/src/OpenIddict.Server/OpenIddictServerConfiguration.cs
@@ -49,7 +49,7 @@ public class OpenIddictServerConfiguration : IPostConfigureOptions<OpenIddictSer
         }
 
         // Ensure at least one flow has been enabled.
-        if (options.GrantTypes.Count == 0)
+        if (options.GrantTypes.Count is 0)
         {
             throw new InvalidOperationException(SR.GetResourceString(SR.ID0076));
         }
@@ -74,21 +74,21 @@ public class OpenIddictServerConfiguration : IPostConfigureOptions<OpenIddictSer
 
         // Ensure the authorization endpoint has been enabled when
         // the authorization code or implicit grants are supported.
-        if (options.AuthorizationEndpointUris.Count == 0 && (options.GrantTypes.Contains(GrantTypes.AuthorizationCode) ||
+        if (options.AuthorizationEndpointUris.Count is 0 && (options.GrantTypes.Contains(GrantTypes.AuthorizationCode) ||
                                                              options.GrantTypes.Contains(GrantTypes.Implicit)))
         {
             throw new InvalidOperationException(SR.GetResourceString(SR.ID0077));
         }
 
         // Ensure the device endpoint has been enabled when the device grant is supported.
-        if (options.DeviceEndpointUris.Count == 0 && options.GrantTypes.Contains(GrantTypes.DeviceCode))
+        if (options.DeviceEndpointUris.Count is 0 && options.GrantTypes.Contains(GrantTypes.DeviceCode))
         {
             throw new InvalidOperationException(SR.GetResourceString(SR.ID0078));
         }
 
         // Ensure the token endpoint has been enabled when the authorization code,
         // client credentials, device, password or refresh token grants are supported.
-        if (options.TokenEndpointUris.Count == 0 && (options.GrantTypes.Contains(GrantTypes.AuthorizationCode) ||
+        if (options.TokenEndpointUris.Count is 0 && (options.GrantTypes.Contains(GrantTypes.AuthorizationCode) ||
                                                      options.GrantTypes.Contains(GrantTypes.ClientCredentials) ||
                                                      options.GrantTypes.Contains(GrantTypes.DeviceCode) ||
                                                      options.GrantTypes.Contains(GrantTypes.Password) ||
@@ -98,7 +98,7 @@ public class OpenIddictServerConfiguration : IPostConfigureOptions<OpenIddictSer
         }
 
         // Ensure the verification endpoint has been enabled when the device grant is supported.
-        if (options.VerificationEndpointUris.Count == 0 && options.GrantTypes.Contains(GrantTypes.DeviceCode))
+        if (options.VerificationEndpointUris.Count is 0 && options.GrantTypes.Contains(GrantTypes.DeviceCode))
         {
             throw new InvalidOperationException(SR.GetResourceString(SR.ID0080));
         }
@@ -135,7 +135,7 @@ public class OpenIddictServerConfiguration : IPostConfigureOptions<OpenIddictSer
             throw new InvalidOperationException(SR.GetResourceString(SR.ID0083));
         }
 
-        if (options.EncryptionCredentials.Count == 0)
+        if (options.EncryptionCredentials.Count is 0)
         {
             throw new InvalidOperationException(SR.GetResourceString(SR.ID0085));
         }
@@ -164,7 +164,7 @@ public class OpenIddictServerConfiguration : IPostConfigureOptions<OpenIddictSer
             // If the degraded mode was enabled, ensure custom validation handlers
             // have been registered for the endpoints that require manual validation.
 
-            if (options.AuthorizationEndpointUris.Count != 0 && !options.Handlers.Any(
+            if (options.AuthorizationEndpointUris.Count is not 0 && !options.Handlers.Any(
                 descriptor => descriptor.ContextType == typeof(ValidateAuthorizationRequestContext) &&
                               descriptor.Type == OpenIddictServerHandlerType.Custom &&
                               descriptor.FilterTypes.All(type => !typeof(RequireDegradedModeDisabled).IsAssignableFrom(type))))
@@ -172,7 +172,7 @@ public class OpenIddictServerConfiguration : IPostConfigureOptions<OpenIddictSer
                 throw new InvalidOperationException(SR.GetResourceString(SR.ID0089));
             }
 
-            if (options.DeviceEndpointUris.Count != 0 && !options.Handlers.Any(
+            if (options.DeviceEndpointUris.Count is not 0 && !options.Handlers.Any(
                 descriptor => descriptor.ContextType == typeof(ValidateDeviceRequestContext) &&
                               descriptor.Type == OpenIddictServerHandlerType.Custom &&
                               descriptor.FilterTypes.All(type => !typeof(RequireDegradedModeDisabled).IsAssignableFrom(type))))
@@ -180,7 +180,7 @@ public class OpenIddictServerConfiguration : IPostConfigureOptions<OpenIddictSer
                 throw new InvalidOperationException(SR.GetResourceString(SR.ID0090));
             }
 
-            if (options.IntrospectionEndpointUris.Count != 0 && !options.Handlers.Any(
+            if (options.IntrospectionEndpointUris.Count is not 0 && !options.Handlers.Any(
                 descriptor => descriptor.ContextType == typeof(ValidateIntrospectionRequestContext) &&
                               descriptor.Type == OpenIddictServerHandlerType.Custom &&
                               descriptor.FilterTypes.All(type => !typeof(RequireDegradedModeDisabled).IsAssignableFrom(type))))
@@ -188,7 +188,7 @@ public class OpenIddictServerConfiguration : IPostConfigureOptions<OpenIddictSer
                 throw new InvalidOperationException(SR.GetResourceString(SR.ID0091));
             }
 
-            if (options.LogoutEndpointUris.Count != 0 && !options.Handlers.Any(
+            if (options.LogoutEndpointUris.Count is not 0 && !options.Handlers.Any(
                 descriptor => descriptor.ContextType == typeof(ValidateLogoutRequestContext) &&
                               descriptor.Type == OpenIddictServerHandlerType.Custom &&
                               descriptor.FilterTypes.All(type => !typeof(RequireDegradedModeDisabled).IsAssignableFrom(type))))
@@ -196,7 +196,7 @@ public class OpenIddictServerConfiguration : IPostConfigureOptions<OpenIddictSer
                 throw new InvalidOperationException(SR.GetResourceString(SR.ID0092));
             }
 
-            if (options.RevocationEndpointUris.Count != 0 && !options.Handlers.Any(
+            if (options.RevocationEndpointUris.Count is not 0 && !options.Handlers.Any(
                 descriptor => descriptor.ContextType == typeof(ValidateRevocationRequestContext) &&
                               descriptor.Type == OpenIddictServerHandlerType.Custom &&
                               descriptor.FilterTypes.All(type => !typeof(RequireDegradedModeDisabled).IsAssignableFrom(type))))
@@ -204,7 +204,7 @@ public class OpenIddictServerConfiguration : IPostConfigureOptions<OpenIddictSer
                 throw new InvalidOperationException(SR.GetResourceString(SR.ID0093));
             }
 
-            if (options.TokenEndpointUris.Count != 0 && !options.Handlers.Any(
+            if (options.TokenEndpointUris.Count is not 0 && !options.Handlers.Any(
                 descriptor => descriptor.ContextType == typeof(ValidateTokenRequestContext) &&
                               descriptor.Type == OpenIddictServerHandlerType.Custom &&
                               descriptor.FilterTypes.All(type => !typeof(RequireDegradedModeDisabled).IsAssignableFrom(type))))
@@ -212,7 +212,7 @@ public class OpenIddictServerConfiguration : IPostConfigureOptions<OpenIddictSer
                 throw new InvalidOperationException(SR.GetResourceString(SR.ID0094));
             }
 
-            if (options.VerificationEndpointUris.Count != 0 && !options.Handlers.Any(
+            if (options.VerificationEndpointUris.Count is not 0 && !options.Handlers.Any(
                 descriptor => descriptor.ContextType == typeof(ValidateVerificationRequestContext) &&
                               descriptor.Type == OpenIddictServerHandlerType.Custom &&
                               descriptor.FilterTypes.All(type => !typeof(RequireDegradedModeDisabled).IsAssignableFrom(type))))
diff --git a/src/OpenIddict.Server/OpenIddictServerDispatcher.cs b/src/OpenIddict.Server/OpenIddictServerDispatcher.cs
index e3f0594d..8d2ddfc6 100644
--- a/src/OpenIddict.Server/OpenIddictServerDispatcher.cs
+++ b/src/OpenIddict.Server/OpenIddictServerDispatcher.cs
@@ -85,7 +85,7 @@ public class OpenIddictServerDispatcher : IOpenIddictServerDispatcher
         {
             // Note: the descriptors collection is sorted during options initialization for performance reasons.
             var descriptors = _options.CurrentValue.Handlers;
-            if (descriptors.Count == 0)
+            if (descriptors.Count is 0)
             {
                 yield break;
             }
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Authentication.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Authentication.cs
index dcc9454d..2341c95c 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Authentication.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Authentication.cs
@@ -1159,7 +1159,7 @@ public static partial class OpenIddictServerHandlers
                 if (string.IsNullOrEmpty(context.RedirectUri))
                 {
                     var addresses = await _applicationManager.GetRedirectUrisAsync(application);
-                    if (addresses.Length != 1)
+                    if (addresses.Length is not 1)
                     {
                         context.Logger.LogInformation(SR.GetResourceString(SR.ID6033), Parameters.RedirectUri);
 
@@ -1238,7 +1238,7 @@ public static partial class OpenIddictServerHandlers
                 // Note: the remaining scopes are only checked if the degraded mode was not enabled,
                 // as this requires using the scope manager, which is never used with the degraded mode,
                 // even if the service was registered and resolved from the dependency injection container.
-                if (scopes.Count != 0 && !context.Options.EnableDegradedMode)
+                if (scopes.Count is not 0 && !context.Options.EnableDegradedMode)
                 {
                     if (_scopeManager is null)
                     {
@@ -1256,7 +1256,7 @@ public static partial class OpenIddictServerHandlers
                 }
 
                 // If at least one scope was not recognized, return an error.
-                if (scopes.Count != 0)
+                if (scopes.Count is not 0)
                 {
                     context.Logger.LogInformation(SR.GetResourceString(SR.ID6047), scopes);
 
@@ -1490,7 +1490,7 @@ public static partial class OpenIddictServerHandlers
                         var values = permission.Substring(prefix.Length, permission.Length - prefix.Length)
                                                .Split(Separators.Space, StringSplitOptions.RemoveEmptyEntries);
 
-                        if (values.Length != 0 && new HashSet<string>(values, StringComparer.Ordinal).SetEquals(types))
+                        if (values.Length is not 0 && new HashSet<string>(values, StringComparer.Ordinal).SetEquals(types))
                         {
                             return true;
                         }
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Device.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Device.cs
index 9d360f7c..75a20614 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Device.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Device.cs
@@ -452,7 +452,7 @@ public static partial class OpenIddictServerHandlers
                 // Note: the remaining scopes are only checked if the degraded mode was not enabled,
                 // as this requires using the scope manager, which is never used with the degraded mode,
                 // even if the service was registered and resolved from the dependency injection container.
-                if (scopes.Count != 0 && !context.Options.EnableDegradedMode)
+                if (scopes.Count is not 0 && !context.Options.EnableDegradedMode)
                 {
                     if (_scopeManager is null)
                     {
@@ -470,7 +470,7 @@ public static partial class OpenIddictServerHandlers
                 }
 
                 // If at least one scope was not recognized, return an error.
-                if (scopes.Count != 0)
+                if (scopes.Count is not 0)
                 {
                     context.Logger.LogInformation(SR.GetResourceString(SR.ID6057), scopes);
 
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Discovery.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Discovery.cs
index 429b7ebf..7c90f303 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Discovery.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Discovery.cs
@@ -957,7 +957,7 @@ public static partial class OpenIddictServerHandlers
                     if (!string.IsNullOrEmpty(key.X5t)) writer.WriteString(JsonWebKeyParameterNames.X5t, key.X5t);
                     if (!string.IsNullOrEmpty(key.X5u)) writer.WriteString(JsonWebKeyParameterNames.X5u, key.X5u);
 
-                    if (key.KeyOps.Count != 0)
+                    if (key.KeyOps.Count is not 0)
                     {
                         writer.WritePropertyName(JsonWebKeyParameterNames.KeyOps);
                         writer.WriteStartArray();
@@ -970,7 +970,7 @@ public static partial class OpenIddictServerHandlers
                         writer.WriteEndArray();
                     }
 
-                    if (key.X5c.Count != 0)
+                    if (key.X5c.Count is not 0)
                     {
                         writer.WritePropertyName(JsonWebKeyParameterNames.X5c);
                         writer.WriteStartArray();
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Exchange.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Exchange.cs
index 43a74ef0..d3086470 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Exchange.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Exchange.cs
@@ -756,7 +756,7 @@ public static partial class OpenIddictServerHandlers
                 // Note: the remaining scopes are only checked if the degraded mode was not enabled,
                 // as this requires using the scope manager, which is never used with the degraded mode,
                 // even if the service was registered and resolved from the dependency injection container.
-                if (scopes.Count != 0 && !context.Options.EnableDegradedMode)
+                if (scopes.Count is not 0 && !context.Options.EnableDegradedMode)
                 {
                     if (_scopeManager is null)
                     {
@@ -774,7 +774,7 @@ public static partial class OpenIddictServerHandlers
                 }
 
                 // If at least one scope was not recognized, return an error.
-                if (scopes.Count != 0)
+                if (scopes.Count is not 0)
                 {
                     context.Logger.LogInformation(SR.GetResourceString(SR.ID6080), scopes);
 
@@ -1633,7 +1633,7 @@ public static partial class OpenIddictServerHandlers
                 // but was missing from the initial request, the request MUST be rejected.
                 // See http://tools.ietf.org/html/rfc6749#section-6 for more information.
                 var scopes = new HashSet<string>(context.Principal.GetScopes(), StringComparer.Ordinal);
-                if (scopes.Count == 0)
+                if (scopes.Count is 0)
                 {
                     context.Logger.LogInformation(SR.GetResourceString(SR.ID6094), Parameters.Scope);
 
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Protection.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Protection.cs
index f69d60cd..66ce2a72 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Protection.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Protection.cs
@@ -1230,7 +1230,7 @@ public static partial class OpenIddictServerHandlers
                                          TokenTypeHints.RefreshToken      or TokenTypeHints.UserCode)
                 {
                     var destinations = principal.GetDestinations();
-                    if (destinations.Count != 0)
+                    if (destinations.Count is not 0)
                     {
                         claims.Add(Claims.Private.ClaimDestinationsMap, destinations);
                     }
diff --git a/src/OpenIddict.Validation/OpenIddictValidationBuilder.cs b/src/OpenIddict.Validation/OpenIddictValidationBuilder.cs
index 6df14cc7..8f66f9cd 100644
--- a/src/OpenIddict.Validation/OpenIddictValidationBuilder.cs
+++ b/src/OpenIddict.Validation/OpenIddictValidationBuilder.cs
@@ -190,7 +190,7 @@ public class OpenIddictValidationBuilder
         if (certificate.Version >= 3)
         {
             var extensions = certificate.Extensions.OfType<X509KeyUsageExtension>().ToList();
-            if (extensions.Count != 0 && !extensions.Any(extension => extension.KeyUsages.HasFlag(X509KeyUsageFlags.KeyEncipherment)))
+            if (extensions.Count is not 0 && !extensions.Any(extension => extension.KeyUsages.HasFlag(X509KeyUsageFlags.KeyEncipherment)))
             {
                 throw new InvalidOperationException(SR.GetResourceString(SR.ID0060));
             }
diff --git a/src/OpenIddict.Validation/OpenIddictValidationConfiguration.cs b/src/OpenIddict.Validation/OpenIddictValidationConfiguration.cs
index 699b8bb4..3791246c 100644
--- a/src/OpenIddict.Validation/OpenIddictValidationConfiguration.cs
+++ b/src/OpenIddict.Validation/OpenIddictValidationConfiguration.cs
@@ -78,7 +78,7 @@ public class OpenIddictValidationConfiguration : IPostConfigureOptions<OpenIddic
         }
 
         // If all the registered encryption credentials are backed by a X.509 certificate, at least one of them must be valid.
-        if (options.EncryptionCredentials.Count != 0 &&
+        if (options.EncryptionCredentials.Count is not 0 &&
             options.EncryptionCredentials.All(credentials => credentials.Key is X509SecurityKey x509SecurityKey &&
                 (x509SecurityKey.Certificate.NotBefore > DateTime.Now || x509SecurityKey.Certificate.NotAfter < DateTime.Now)))
         {
diff --git a/src/OpenIddict.Validation/OpenIddictValidationDispatcher.cs b/src/OpenIddict.Validation/OpenIddictValidationDispatcher.cs
index 15703c72..7687b75c 100644
--- a/src/OpenIddict.Validation/OpenIddictValidationDispatcher.cs
+++ b/src/OpenIddict.Validation/OpenIddictValidationDispatcher.cs
@@ -85,7 +85,7 @@ public class OpenIddictValidationDispatcher : IOpenIddictValidationDispatcher
         {
             // Note: the descriptors collection is sorted during options initialization for performance reasons.
             var descriptors = _options.CurrentValue.Handlers;
-            if (descriptors.Count == 0)
+            if (descriptors.Count is 0)
             {
                 yield break;
             }
diff --git a/src/OpenIddict.Validation/OpenIddictValidationHandlers.Protection.cs b/src/OpenIddict.Validation/OpenIddictValidationHandlers.Protection.cs
index abf5182f..d037ff05 100644
--- a/src/OpenIddict.Validation/OpenIddictValidationHandlers.Protection.cs
+++ b/src/OpenIddict.Validation/OpenIddictValidationHandlers.Protection.cs
@@ -147,7 +147,7 @@ public static partial class OpenIddictValidationHandlers
 
                 // Reference tokens are base64url-encoded payloads of exactly 256 bits (generated using a
                 // crypto-secure RNG). If the token length differs, the token cannot be a reference token.
-                if (context.Token.Length != 43)
+                if (context.Token.Length is not 43)
                 {
                     return;
                 }
@@ -699,7 +699,7 @@ public static partial class OpenIddictValidationHandlers
 
                 // If no explicit audience has been configured,
                 // skip the default audience validation.
-                if (context.Options.Audiences.Count == 0)
+                if (context.Options.Audiences.Count is 0)
                 {
                     return default;
                 }
diff --git a/test/OpenIddict.Server.IntegrationTests/OpenIddictServerIntegrationTestClient.cs b/test/OpenIddict.Server.IntegrationTests/OpenIddictServerIntegrationTestClient.cs
index 627c3207..53f96cde 100644
--- a/test/OpenIddict.Server.IntegrationTests/OpenIddictServerIntegrationTestClient.cs
+++ b/test/OpenIddict.Server.IntegrationTests/OpenIddictServerIntegrationTestClient.cs
@@ -262,7 +262,7 @@ public class OpenIddictServerIntegrationTestClient : IAsyncDisposable
             }
         }
 
-        if (method == HttpMethod.Get && parameters.Count != 0)
+        if (method == HttpMethod.Get && parameters.Count is not 0)
         {
             var builder = new StringBuilder();
 
@@ -273,7 +273,7 @@ public class OpenIddictServerIntegrationTestClient : IAsyncDisposable
                     continue;
                 }
 
-                if (builder.Length != 0)
+                if (builder.Length is not 0)
                 {
                     builder.Append('&');
                 }
@@ -380,19 +380,19 @@ public class OpenIddictServerIntegrationTestClient : IAsyncDisposable
             foreach (var element in new StringTokenizer(payload, Separators.Ampersand))
             {
                 var segment = element;
-                if (segment.Length == 0)
+                if (segment.Length is 0)
                 {
                     continue;
                 }
 
                 // Always skip the first char (# or ?).
-                if (segment.Offset == 0)
+                if (segment.Offset is 0)
                 {
                     segment = segment.Subsegment(1, segment.Length - 1);
                 }
 
                 var index = segment.IndexOf('=');
-                if (index == -1)
+                if (index is -1)
                 {
                     continue;
                 }
@@ -474,7 +474,7 @@ public class OpenIddictServerIntegrationTestClient : IAsyncDisposable
             for (var line = await reader.ReadLineAsync(); line is not null; line = await reader.ReadLineAsync())
             {
                 var index = line.IndexOf(':');
-                if (index == -1)
+                if (index is -1)
                 {
                     continue;
                 }
diff --git a/test/OpenIddict.Validation.IntegrationTests/OpenIddictValidationIntegrationTestClient.cs b/test/OpenIddict.Validation.IntegrationTests/OpenIddictValidationIntegrationTestClient.cs
index 68f9b060..01beec3d 100644
--- a/test/OpenIddict.Validation.IntegrationTests/OpenIddictValidationIntegrationTestClient.cs
+++ b/test/OpenIddict.Validation.IntegrationTests/OpenIddictValidationIntegrationTestClient.cs
@@ -262,7 +262,7 @@ public class OpenIddictValidationIntegrationTestClient : IAsyncDisposable
             }
         }
 
-        if (method == HttpMethod.Get && parameters.Count != 0)
+        if (method == HttpMethod.Get && parameters.Count is not 0)
         {
             var builder = new StringBuilder();
 
@@ -273,7 +273,7 @@ public class OpenIddictValidationIntegrationTestClient : IAsyncDisposable
                     continue;
                 }
 
-                if (builder.Length != 0)
+                if (builder.Length is not 0)
                 {
                     builder.Append('&');
                 }
@@ -380,19 +380,19 @@ public class OpenIddictValidationIntegrationTestClient : IAsyncDisposable
             foreach (var element in new StringTokenizer(payload, Separators.Ampersand))
             {
                 var segment = element;
-                if (segment.Length == 0)
+                if (segment.Length is 0)
                 {
                     continue;
                 }
 
                 // Always skip the first char (# or ?).
-                if (segment.Offset == 0)
+                if (segment.Offset is 0)
                 {
                     segment = segment.Subsegment(1, segment.Length - 1);
                 }
 
                 var index = segment.IndexOf('=');
-                if (index == -1)
+                if (index is -1)
                 {
                     continue;
                 }
@@ -474,7 +474,7 @@ public class OpenIddictValidationIntegrationTestClient : IAsyncDisposable
             for (var line = await reader.ReadLineAsync(); line is not null; line = await reader.ReadLineAsync())
             {
                 var index = line.IndexOf(':');
-                if (index == -1)
+                if (index is -1)
                 {
                     continue;
                 }