From 2b8211a8fc4bcbaa2239961788866da5263a3619 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Sun, 5 Mar 2023 21:27:46 +0100
Subject: [PATCH] Introduce dynamic options to disable nonce validation and add
 Dropbox to the list of supported providers

---
 .../OpenIddictClientWebIntegrationHandlers.cs |  45 +++-
 ...penIddictClientWebIntegrationProviders.xml |  19 ++
 .../OpenIddictClientEvents.cs                 | 208 +++++++++++-------
 .../OpenIddictClientExtensions.cs             |   2 +
 .../OpenIddictClientHandlerFilters.cs         |  34 +++
 .../OpenIddictClientHandlers.cs               |   2 +
 .../OpenIddictServerEvents.cs                 | 200 ++++++++++-------
 .../OpenIddictValidationEvents.cs             |  20 +-
 8 files changed, 365 insertions(+), 165 deletions(-)

diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
index 4bc71604..f65fa7ce 100644
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
@@ -26,6 +26,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
         AttachTokenRequestNonStandardClientCredentials.Descriptor,
         AdjustRedirectUriInTokenRequest.Descriptor,
         OverrideValidatedBackchannelTokens.Descriptor,
+        DisableBackchannelIdentityTokenNonceValidation.Descriptor,
         AttachAdditionalUserinfoRequestParameters.Descriptor,
         PopulateUserinfoTokenPrincipalFromTokenResponse.Descriptor,
 
@@ -313,6 +314,48 @@ public static partial class OpenIddictClientWebIntegrationHandlers
         }
     }
 
+    /// <summary>
+    /// Contains the logic responsible for disabling the backchannel
+    /// identity token nonce validation for the providers that require it.
+    /// </summary>
+    public sealed class DisableBackchannelIdentityTokenNonceValidation : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    {
+        /// <summary>
+        /// Gets the default descriptor definition assigned to this handler.
+        /// </summary>
+        public static OpenIddictClientHandlerDescriptor Descriptor { get; }
+            = OpenIddictClientHandlerDescriptor.CreateBuilder<ProcessAuthenticationContext>()
+                .UseSingletonHandler<DisableBackchannelIdentityTokenNonceValidation>()
+                .SetOrder(ValidateBackchannelIdentityTokenNonce.Descriptor.Order - 500)
+                .SetType(OpenIddictClientHandlerType.BuiltIn)
+                .Build();
+
+        /// <inheritdoc/>
+        public ValueTask HandleAsync(ProcessAuthenticationContext context)
+        {
+            if (context is null)
+            {
+                throw new ArgumentNullException(nameof(context));
+            }
+
+            // Note: despite implementing OpenID Connect, some providers are known to implement the
+            // specification incorrectly and either don't support the "nonce" authorization request
+            // parameter, don't include it in the issued identity tokens or flow an unexpected value.
+            //
+            // Despite being an important security feature, nonce validation is explicitly disabled
+            // for the providers that are known to cause errors when nonce validation is enforced.
+
+            context.DisableBackchannelIdentityTokenNonceValidation = context.Registration.ProviderName switch
+            {
+                Providers.Dropbox => true, // Dropbox doesn't include the nonce in the identity tokens.
+
+                _ => context.DisableBackchannelIdentityTokenNonceValidation
+            };
+
+            return default;
+        }
+    }
+
     /// <summary>
     /// Contains the logic responsible for attaching additional parameters
     /// to the userinfo request for the providers that require it.
@@ -517,7 +560,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
     }
 
     /// <summary>
-    /// Contains the logic responsible for overriding response mode for providers that require it.
+    /// Contains the logic responsible for overriding the response mode for the providers that require it.
     /// </summary>
     public sealed class OverrideResponseMode : IOpenIddictClientHandler<ProcessChallengeContext>
     {
diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
index 7ce9f39e..3e820776 100644
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
@@ -159,6 +159,25 @@
     </Environment>
   </Provider>
 
+  <!--
+                                          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
+                                          ██ ▄▄▀██ ▄▄▀██ ▄▄▄ ██ ▄▄ ██ ▄▄▀██ ▄▄▄ █▄▀█▀▄██
+                                          ██ ██ ██ ▀▀▄██ ███ ██ ▀▀ ██ ▄▄▀██ ███ ███ ████
+                                          ██ ▀▀ ██ ██ ██ ▀▀▀ ██ █████ ▀▀ ██ ▀▀▀ █▀▄█▄▀██
+                                          ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
+  -->
+
+  <Provider Name="Dropbox" Documentation="https://developers.dropbox.com/oidc-guide">
+    <Environment Issuer="https://www.dropbox.com/">
+      <!--
+        Note: Dropbox requires sending at least either the "profile" or "email" scope.
+        To simplify the logic, the "profile" scope is considered required by OpenIddict.
+      -->
+
+      <Scope Name="profile" Default="true" Required="true" />
+    </Environment>
+  </Provider>
+
   <!--
                                               ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                                               ██ ▄▄ █▄ ▄█▄▄ ▄▄██ ██ ██ ██ ██ ▄▄▀██
diff --git a/src/OpenIddict.Client/OpenIddictClientEvents.cs b/src/OpenIddict.Client/OpenIddictClientEvents.cs
index 2572dc65..6b51b320 100644
--- a/src/OpenIddict.Client/OpenIddictClientEvents.cs
+++ b/src/OpenIddict.Client/OpenIddictClientEvents.cs
@@ -376,257 +376,289 @@ public static partial class OpenIddictClientEvents
         /// <summary>
         /// Gets or sets a boolean indicating whether an authorization
         /// code should be extracted from the current context.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ExtractAuthorizationCode { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a backchannel
         /// access token should be extracted from the current context.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ExtractBackchannelAccessToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a backchannel
         /// identity token should be extracted from the current context.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ExtractBackchannelIdentityToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a frontchannel
         /// access token should be extracted from the current context.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ExtractFrontchannelAccessToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a frontchannel
         /// identity token should be extracted from the current context.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ExtractFrontchannelIdentityToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a refresh
         /// token should be extracted from the current context.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ExtractRefreshToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a state
         /// token should be extracted from the current context.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ExtractStateToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a userinfo
         /// token should be extracted from the current context.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ExtractUserinfoToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an authorization
         /// code must be resolved for the authentication to be considered valid.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RequireAuthorizationCode { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a backchannel access
         /// token must be resolved for the authentication to be considered valid.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RequireBackchannelAccessToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a backchannel identity
         /// token must be resolved for the authentication to be considered valid.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RequireBackchannelIdentityToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a frontchannel identity
         /// token must be resolved for the authentication to be considered valid.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RequireFrontchannelAccessToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a frontchannel identity
         /// token must be resolved for the authentication to be considered valid.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RequireFrontchannelIdentityToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a refresh token
         /// must be resolved for the authentication to be considered valid.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RequireRefreshToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a state token
         /// must be resolved for the authentication to be considered valid.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RequireStateToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a userinfo token
         /// must be resolved for the authentication to be considered valid.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RequireUserinfoToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the authorization
         /// code extracted from the current context should be validated.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ValidateAuthorizationCode { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the backchannel access
         /// token extracted from the current context should be validated.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ValidateBackchannelAccessToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the backchannel identity
         /// token extracted from the current context should be validated.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ValidateBackchannelIdentityToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the frontchannel access
         /// token extracted from the current context should be validated.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ValidateFrontchannelAccessToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the frontchannel identity
         /// token extracted from the current context should be validated.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ValidateFrontchannelIdentityToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the refresh token
         /// extracted from the current context should be validated.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ValidateRefreshToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the state token
         /// extracted from the current context should be validated.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ValidateStateToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the userinfo token
         /// extracted from the current context should be validated.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ValidateUserinfoToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an invalid authorization code
         /// will cause the authentication demand to be rejected or will be ignored.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RejectAuthorizationCode { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an invalid backchannel access token
         /// will cause the authentication demand to be rejected or will be ignored.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RejectBackchannelAccessToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an invalid backchannel identity token
         /// will cause the authentication demand to be rejected or will be ignored.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RejectBackchannelIdentityToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an invalid frontchannel access token
         /// will cause the authentication demand to be rejected or will be ignored.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RejectFrontchannelAccessToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an invalid frontchannel identity token
         /// will cause the authentication demand to be rejected or will be ignored.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RejectFrontchannelIdentityToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an invalid refresh token
         /// will cause the authentication demand to be rejected or will be ignored.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RejectRefreshToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an invalid state token
         /// will cause the authentication demand to be rejected or will be ignored.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RejectStateToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an invalid userinfo token
         /// will cause the authentication demand to be rejected or will be ignored.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RejectUserinfoToken { get; set; }
 
         /// <summary>
@@ -742,17 +774,19 @@ public static partial class OpenIddictClientEvents
         /// <summary>
         /// Gets or sets a boolean indicating whether a client assertion
         /// token should be generated (and optionally included in the request).
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool GenerateClientAssertionToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the generated client
         /// assertion token should be included as part of the request.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool IncludeClientAssertionToken { get; set; }
 
         /// <summary>
@@ -774,6 +808,24 @@ public static partial class OpenIddictClientEvents
         /// used to create the client assertion token, if applicable.
         /// </summary>
         public ClaimsPrincipal? ClientAssertionTokenPrincipal { get; set; }
+
+        /// <summary>
+        /// Gets or sets a boolean indicating whether backchannel
+        /// identity token nonce validation should be disabled.
+        /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
+        public bool DisableBackchannelIdentityTokenNonceValidation { get; set; }
+
+        /// <summary>
+        /// Gets or sets a boolean indicating whether frontchannel
+        /// identity token nonce validation should be disabled.
+        /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
+        public bool DisableFrontchannelIdentityTokenNonceValidation { get; set; }
     }
 
     /// <summary>
@@ -918,17 +970,19 @@ public static partial class OpenIddictClientEvents
         /// <summary>
         /// Gets or sets a boolean indicating whether a state token
         /// should be generated (and optionally included in the request).
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool GenerateStateToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the generated
         /// state token should be included as part of the request.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool IncludeStateToken { get; set; }
 
         /// <summary>
@@ -1047,17 +1101,19 @@ public static partial class OpenIddictClientEvents
         /// <summary>
         /// Gets or sets a boolean indicating whether a state token
         /// should be generated (and optionally included in the request).
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool GenerateStateToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the generated
         /// state token should be included as part of the request.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool IncludeStateToken { get; set; }
 
         /// <summary>
diff --git a/src/OpenIddict.Client/OpenIddictClientExtensions.cs b/src/OpenIddict.Client/OpenIddictClientExtensions.cs
index 8b317b93..7fa124fe 100644
--- a/src/OpenIddict.Client/OpenIddictClientExtensions.cs
+++ b/src/OpenIddict.Client/OpenIddictClientExtensions.cs
@@ -38,10 +38,12 @@ public static class OpenIddictClientExtensions
         // Register the built-in filters used by the default OpenIddict client event handlers.
         builder.Services.TryAddSingleton<RequireAuthorizationCodeValidated>();
         builder.Services.TryAddSingleton<RequireBackchannelAccessTokenValidated>();
+        builder.Services.TryAddSingleton<RequireBackchannelIdentityTokenNonceValidationEnabled>();
         builder.Services.TryAddSingleton<RequireBackchannelIdentityTokenValidated>();
         builder.Services.TryAddSingleton<RequireBackchannelIdentityTokenPrincipal>();
         builder.Services.TryAddSingleton<RequireClientAssertionTokenGenerated>();
         builder.Services.TryAddSingleton<RequireFrontchannelAccessTokenValidated>();
+        builder.Services.TryAddSingleton<RequireFrontchannelIdentityTokenNonceValidationEnabled>();
         builder.Services.TryAddSingleton<RequireFrontchannelIdentityTokenValidated>();
         builder.Services.TryAddSingleton<RequireFrontchannelIdentityTokenPrincipal>();
         builder.Services.TryAddSingleton<RequireInteractiveGrantType>();
diff --git a/src/OpenIddict.Client/OpenIddictClientHandlerFilters.cs b/src/OpenIddict.Client/OpenIddictClientHandlerFilters.cs
index 8bf0de5d..5279e909 100644
--- a/src/OpenIddict.Client/OpenIddictClientHandlerFilters.cs
+++ b/src/OpenIddict.Client/OpenIddictClientHandlerFilters.cs
@@ -45,6 +45,23 @@ public static class OpenIddictClientHandlerFilters
         }
     }
 
+    /// <summary>
+    /// Represents a filter that excludes the associated handlers if backchannel identity token nonce validation was disabled.
+    /// </summary>
+    public sealed class RequireBackchannelIdentityTokenNonceValidationEnabled : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
+    {
+        /// <inheritdoc/>
+        public ValueTask<bool> IsActiveAsync(ProcessAuthenticationContext context)
+        {
+            if (context is null)
+            {
+                throw new ArgumentNullException(nameof(context));
+            }
+
+            return new(!context.DisableBackchannelIdentityTokenNonceValidation);
+        }
+    }
+
     /// <summary>
     /// Represents a filter that excludes the associated handlers if no backchannel identity token principal is available.
     /// </summary>
@@ -113,6 +130,23 @@ public static class OpenIddictClientHandlerFilters
         }
     }
 
+    /// <summary>
+    /// Represents a filter that excludes the associated handlers if frontchannel identity token nonce validation was disabled.
+    /// </summary>
+    public sealed class RequireFrontchannelIdentityTokenNonceValidationEnabled : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
+    {
+        /// <inheritdoc/>
+        public ValueTask<bool> IsActiveAsync(ProcessAuthenticationContext context)
+        {
+            if (context is null)
+            {
+                throw new ArgumentNullException(nameof(context));
+            }
+
+            return new(!context.DisableFrontchannelIdentityTokenNonceValidation);
+        }
+    }
+
     /// <summary>
     /// Represents a filter that excludes the associated handlers if no frontchannel identity token principal is available.
     /// </summary>
diff --git a/src/OpenIddict.Client/OpenIddictClientHandlers.cs b/src/OpenIddict.Client/OpenIddictClientHandlers.cs
index aa4ce09e..39f5ccaf 100644
--- a/src/OpenIddict.Client/OpenIddictClientHandlers.cs
+++ b/src/OpenIddict.Client/OpenIddictClientHandlers.cs
@@ -1674,6 +1674,7 @@ public static partial class OpenIddictClientHandlers
         /// </summary>
         public static OpenIddictClientHandlerDescriptor Descriptor { get; }
             = OpenIddictClientHandlerDescriptor.CreateBuilder<ProcessAuthenticationContext>()
+                .AddFilter<RequireFrontchannelIdentityTokenNonceValidationEnabled>()
                 .AddFilter<RequireFrontchannelIdentityTokenPrincipal>()
                 .AddFilter<RequireStateTokenPrincipal>()
                 .AddFilter<RequireStateTokenValidated>()
@@ -2997,6 +2998,7 @@ public static partial class OpenIddictClientHandlers
         /// </summary>
         public static OpenIddictClientHandlerDescriptor Descriptor { get; }
             = OpenIddictClientHandlerDescriptor.CreateBuilder<ProcessAuthenticationContext>()
+                .AddFilter<RequireBackchannelIdentityTokenNonceValidationEnabled>()
                 .AddFilter<RequireBackchannelIdentityTokenPrincipal>()
                 .AddFilter<RequireStateTokenPrincipal>()
                 .AddFilter<RequireStateTokenValidated>()
diff --git a/src/OpenIddict.Server/OpenIddictServerEvents.cs b/src/OpenIddict.Server/OpenIddictServerEvents.cs
index ba91329d..9f214965 100644
--- a/src/OpenIddict.Server/OpenIddictServerEvents.cs
+++ b/src/OpenIddict.Server/OpenIddictServerEvents.cs
@@ -316,225 +316,253 @@ public static partial class OpenIddictServerEvents
         /// <summary>
         /// Gets or sets a boolean indicating whether an access
         /// token should be extracted from the current context.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ExtractAccessToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an authorization
         /// code should be extracted from the current context.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ExtractAuthorizationCode { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a device
         /// code should be extracted from the current context.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ExtractDeviceCode { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a generic
         /// token should be extracted from the current context.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ExtractGenericToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an identity
         /// token should be extracted from the current context.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ExtractIdentityToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a refresh
         /// token should be extracted from the current context.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ExtractRefreshToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a user
         /// code should be extracted from the current context.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ExtractUserCode { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an access token
         /// must be resolved for the authentication to be considered valid.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RequireAccessToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an authorization code
         /// must be resolved for the authentication to be considered valid.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RequireAuthorizationCode { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a device code
         /// must be resolved for the authentication to be considered valid.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RequireDeviceCode { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a generic token
         /// must be resolved for the authentication to be considered valid.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RequireGenericToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an identity token
         /// must be resolved for the authentication to be considered valid.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RequireIdentityToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a refresh token
         /// must be resolved for the authentication to be considered valid.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RequireRefreshToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a user code
         /// must be resolved for the authentication to be considered valid.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RequireUserCode { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the access
         /// token extracted from the current request should be validated.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ValidateAccessToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the authorization
         /// code extracted from the current request should be validated.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ValidateAuthorizationCode { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the device
         /// code extracted from the current request should be validated.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ValidateDeviceCode { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the generic
         /// token extracted from the current request should be validated.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ValidateGenericToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the identity
         /// token extracted from the current request should be validated.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ValidateIdentityToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the refresh
         /// token extracted from the current request should be validated.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ValidateRefreshToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the user
         /// code extracted from the current request should be validated.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ValidateUserCode { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an invalid access token
         /// will cause the authentication demand to be rejected or will be ignored.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RejectAccessToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an invalid authorization code
         /// will cause the authentication demand to be rejected or will be ignored.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RejectAuthorizationCode { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an invalid device code
         /// will cause the authentication demand to be rejected or will be ignored.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RejectDeviceCode { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an invalid generic token
         /// will cause the authentication demand to be rejected or will be ignored.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RejectGenericToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an invalid identity token
         /// will cause the authentication demand to be rejected or will be ignored.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RejectIdentityToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an invalid refresh token
         /// will cause the authentication demand to be rejected or will be ignored.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RejectRefreshToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an invalid user code
         /// will cause the authentication demand to be rejected or will be ignored.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RejectUserCode { get; set; }
 
         /// <summary>
@@ -699,97 +727,109 @@ public static partial class OpenIddictServerEvents
         /// <summary>
         /// Gets or sets a boolean indicating whether an access token
         /// should be generated (and optionally returned to the client).
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool GenerateAccessToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an authorization code
         /// should be generated (and optionally returned to the client).
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool GenerateAuthorizationCode { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a device code
         /// should be generated (and optionally returned to the client).
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool GenerateDeviceCode { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an identity token
         /// should be generated (and optionally returned to the client).
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool GenerateIdentityToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a refresh token
         /// should be generated (and optionally returned to the client).
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool GenerateRefreshToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether a user code
         /// should be generated (and optionally returned to the client).
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool GenerateUserCode { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the generated access token
         /// should be returned to the client application as part of the response.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool IncludeAccessToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the generated authorization code
         /// should be returned to the client application as part of the response.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool IncludeAuthorizationCode { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the generated device code
         /// should be returned to the client application as part of the response.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool IncludeDeviceCode { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the generated identity token
         /// should be returned to the client application as part of the response.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool IncludeIdentityToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the generated refresh token
         /// should be returned to the client application as part of the response.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool IncludeRefreshToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the generated user code
         /// should be returned to the client application as part of the response.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool IncludeUserCode { get; set; }
 
         /// <summary>
diff --git a/src/OpenIddict.Validation/OpenIddictValidationEvents.cs b/src/OpenIddict.Validation/OpenIddictValidationEvents.cs
index 4d4e14c9..ccebfb28 100644
--- a/src/OpenIddict.Validation/OpenIddictValidationEvents.cs
+++ b/src/OpenIddict.Validation/OpenIddictValidationEvents.cs
@@ -301,33 +301,37 @@ public static partial class OpenIddictValidationEvents
         /// <summary>
         /// Gets or sets a boolean indicating whether an access
         /// token should be extracted from the current context.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ExtractAccessToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an access token
         /// must be resolved for the authentication to be considered valid.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RequireAccessToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether the access
         /// token extracted from the current context should be validated.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool ValidateAccessToken { get; set; }
 
         /// <summary>
         /// Gets or sets a boolean indicating whether an invalid access token
         /// will cause the authentication demand to be rejected or will be ignored.
-        /// Note: overriding the value of this property is generally not
-        /// recommended, except when dealing with non-standard clients.
         /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
         public bool RejectAccessToken { get; set; }
     }