diff --git a/src/OpenIddict.Client.DataProtection/OpenIddictClientDataProtectionHandlers.Protection.cs b/src/OpenIddict.Client.DataProtection/OpenIddictClientDataProtectionHandlers.Protection.cs index c89dc395..6b2f346b 100644 --- a/src/OpenIddict.Client.DataProtection/OpenIddictClientDataProtectionHandlers.Protection.cs +++ b/src/OpenIddict.Client.DataProtection/OpenIddictClientDataProtectionHandlers.Protection.cs @@ -62,9 +62,19 @@ public static partial class OpenIddictClientDataProtectionHandlers return default; } - // Note: ASP.NET Core Data Protection tokens always start with "CfDJ8", that corresponds - // to the base64 representation of the magic "09 F0 C9 F0" header identifying DP payloads. - if (!context.Token.StartsWith("CfDJ8", StringComparison.Ordinal)) + // Note: ASP.NET Core Data Protection tokens created by the default implementation always start + // with "CfDJ8", that corresponds to the base64 representation of the "09 F0 C9 F0" value used + // by KeyRingBasedDataProtectionProvider as a Data Protection version identifier/magic header. + // + // Unless a custom provider implementation - that may use a different mechanism - has been + // registered, return immediately if the token doesn't start with the expected magic header. + // + // See https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/implementation/authenticated-encryption-details + // for more information. + if (!context.Token.StartsWith("CfDJ8", StringComparison.Ordinal) && + string.Equals(_options.CurrentValue.DataProtectionProvider.GetType().FullName, + "Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtectionProvider", + StringComparison.Ordinal)) { return default; } diff --git a/src/OpenIddict.Server.DataProtection/OpenIddictServerDataProtectionHandlers.Protection.cs b/src/OpenIddict.Server.DataProtection/OpenIddictServerDataProtectionHandlers.Protection.cs index 7cbc9818..e4e5df08 100644 --- a/src/OpenIddict.Server.DataProtection/OpenIddictServerDataProtectionHandlers.Protection.cs +++ b/src/OpenIddict.Server.DataProtection/OpenIddictServerDataProtectionHandlers.Protection.cs @@ -62,9 +62,19 @@ public static partial class OpenIddictServerDataProtectionHandlers return default; } - // Note: ASP.NET Core Data Protection tokens always start with "CfDJ8", that corresponds - // to the base64 representation of the magic "09 F0 C9 F0" header identifying DP payloads. - if (!context.Token.StartsWith("CfDJ8", StringComparison.Ordinal)) + // Note: ASP.NET Core Data Protection tokens created by the default implementation always start + // with "CfDJ8", that corresponds to the base64 representation of the "09 F0 C9 F0" value used + // by KeyRingBasedDataProtectionProvider as a Data Protection version identifier/magic header. + // + // Unless a custom provider implementation - that may use a different mechanism - has been + // registered, return immediately if the token doesn't start with the expected magic header. + // + // See https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/implementation/authenticated-encryption-details + // for more information. + if (!context.Token.StartsWith("CfDJ8", StringComparison.Ordinal) && + string.Equals(_options.CurrentValue.DataProtectionProvider.GetType().FullName, + "Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtectionProvider", + StringComparison.Ordinal)) { return default; } diff --git a/src/OpenIddict.Validation.DataProtection/OpenIddictValidationDataProtectionHandlers.Protection.cs b/src/OpenIddict.Validation.DataProtection/OpenIddictValidationDataProtectionHandlers.Protection.cs index 5b27fcb7..54d2feb9 100644 --- a/src/OpenIddict.Validation.DataProtection/OpenIddictValidationDataProtectionHandlers.Protection.cs +++ b/src/OpenIddict.Validation.DataProtection/OpenIddictValidationDataProtectionHandlers.Protection.cs @@ -57,9 +57,19 @@ public static partial class OpenIddictValidationDataProtectionHandlers return default; } - // Note: ASP.NET Core Data Protection tokens always start with "CfDJ8", that corresponds - // to the base64 representation of the magic "09 F0 C9 F0" header identifying DP payloads. - if (!context.Token.StartsWith("CfDJ8", StringComparison.Ordinal)) + // Note: ASP.NET Core Data Protection tokens created by the default implementation always start + // with "CfDJ8", that corresponds to the base64 representation of the "09 F0 C9 F0" value used + // by KeyRingBasedDataProtectionProvider as a Data Protection version identifier/magic header. + // + // Unless a custom provider implementation - that may use a different mechanism - has been + // registered, return immediately if the token doesn't start with the expected magic header. + // + // See https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/implementation/authenticated-encryption-details + // for more information. + if (!context.Token.StartsWith("CfDJ8", StringComparison.Ordinal) && + string.Equals(_options.CurrentValue.DataProtectionProvider.GetType().FullName, + "Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtectionProvider", + StringComparison.Ordinal)) { return default; }