From 38c85a8beae4cd18053a705101336e749cf48231 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Wed, 19 Jul 2023 17:43:20 +0200
Subject: [PATCH] Disable userinfo retrieval for the ADFS provider

---
 .../OpenIddictClientWebIntegrationHandlers.cs             | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
index 9fdad597..9ce82afa 100644
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
@@ -677,6 +677,14 @@ public static partial class OpenIddictClientWebIntegrationHandlers
 
             context.SendUserinfoRequest = context.Registration.ProviderType switch
             {
+                // Note: ADFS has severe restrictions affecting the ability to access the userinfo endpoint
+                // (e.g the "resource" parameter MUST be null or the "urn:microsoft:userinfo" value MUST be
+                // used, which prevents specifying any other resource as only one value is allowed by ADFS).
+                //
+                // Since the userinfo endpoint returns very limited information anyway,
+                // userinfo retrieval is always disabled for the ADFS provider.
+                ProviderTypes.ActiveDirectoryFederationServices => false,
+
                 // Note: the frontchannel or backchannel access tokens returned by Azure AD when a
                 // Xbox scope is requested cannot be used with the userinfo endpoint as they use a
                 // legacy format that is not supported by the Azure AD userinfo implementation.