From 36082915429cd4b6d8d484f710489e6c968f7a04 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Tue, 26 Sep 2023 16:32:26 +0200
Subject: [PATCH] Automatically disable userinfo validation when the openid
 scope is not requested

---
 .../OpenIddictClientHandlers.cs               | 23 +++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/OpenIddict.Client/OpenIddictClientHandlers.cs b/src/OpenIddict.Client/OpenIddictClientHandlers.cs
index b692b351..625842cf 100644
--- a/src/OpenIddict.Client/OpenIddictClientHandlers.cs
+++ b/src/OpenIddict.Client/OpenIddictClientHandlers.cs
@@ -3507,8 +3507,27 @@ public static partial class OpenIddictClientHandlers
             // The OpenIddict client is expected to be used with standard OpenID Connect userinfo endpoints
             // but must also support non-standard implementations, that are common with OAuth 2.0-only servers.
             //
-            // As such, protocol requirements are only enforced if the server supports OpenID Connect.
-            context.DisableUserinfoValidation = !context.Configuration.ScopesSupported.Contains(Scopes.OpenId);
+            // As such, protocol requirements are, by default, only enforced if the openid scope was requested.
+            context.DisableUserinfoValidation = context.GrantType switch
+            {
+                GrantTypes.AuthorizationCode or GrantTypes.Implicit
+                    when context.StateTokenPrincipal is ClaimsPrincipal principal
+                    => !principal.HasScope(Scopes.OpenId),
+
+                // Note: while the OAuth 2.0-only device authorization and password flows can be generally used
+                // flawlessly with OpenID Connect implementations, the userinfo response returned by the server
+                // for an OAuth 2.0-only flow might not be OpenID Connect-compliant. In this case, disable
+                // userinfo validation, unless the "openid" scope was explicitly requested by the application.
+                GrantTypes.DeviceCode or GrantTypes.Password or
+
+                // Note: when using grant_type=refresh_token, it is not possible to determine whether the refresh token
+                // was issued during an OAuth 2.0-only or OpenID Connect flow. In this case, only validate userinfo
+                // responses if the openid scope was explicitly added by the user to the list of requested scopes.
+                GrantTypes.RefreshToken or
+
+                // For unknown grant types, disable userinfo validation, unless the openid scope was explicitly added.
+                _ => !context.Scopes.Contains(Scopes.OpenId)
+            };
 
             return default;
         }