Bring back issuer validation in the ValidateIssuer handler

4 years ago · 49c82b1eb7
3 changed files with 33 additions and 3 deletions
--- a/src/OpenIddict.Client/OpenIddictClientHandlers.Discovery.cs
+++ b/src/OpenIddict.Client/OpenIddictClientHandlers.Discovery.cs
@ -151,8 +151,9 @@ public static partial class OpenIddictClientHandlers
                    throw new ArgumentNullException(nameof(context));
                }

-                // The issuer returned in the discovery document must exactly match the URL used to access it.
-                // See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationClient.
+                // Note: the issuer returned in the discovery document must exactly match the URL used to access it.
+                // See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation.
+
                var issuer = (string?) context.Response[Metadata.Issuer];
                if (string.IsNullOrEmpty(issuer))
                {
@ -174,6 +175,16 @@ public static partial class OpenIddictClientHandlers
                    return default;
                }

+                if (context.Issuer is not null && context.Issuer != address)
+                {
+                    context.Reject(
+                        error: Errors.ServerError,
+                        description: SR.GetResourceString(SR.ID2098),
+                        uri: SR.FormatID8000(SR.ID2098));
+
+                    return default;
+                }
+
                context.Configuration.Issuer = address;

                return default;
--- a/src/OpenIddict.Client/OpenIddictClientService.cs
+++ b/src/OpenIddict.Client/OpenIddictClientService.cs
@ -75,6 +75,7 @@ public class OpenIddictClientService
                var context = new PrepareConfigurationRequestContext(transaction)
                {
                    Address = address,
+                    Issuer = registration.Issuer,
                    Registration = registration,
                    Request = request
                };
@ -96,6 +97,7 @@ public class OpenIddictClientService
                var context = new ApplyConfigurationRequestContext(transaction)
                {
                    Address = address,
+                    Issuer = registration.Issuer,
                    Registration = registration,
                    Request = request
                };
@ -117,6 +119,7 @@ public class OpenIddictClientService
                var context = new ExtractConfigurationResponseContext(transaction)
                {
                    Address = address,
+                    Issuer = registration.Issuer,
                    Registration = registration,
                    Request = request
                };
@ -140,6 +143,7 @@ public class OpenIddictClientService
                var context = new HandleConfigurationResponseContext(transaction)
                {
                    Address = address,
+                    Issuer = registration.Issuer,
                    Registration = registration,
                    Request = request,
                    Response = response
@ -226,6 +230,7 @@ public class OpenIddictClientService
                var context = new PrepareCryptographyRequestContext(transaction)
                {
                    Address = address,
+                    Issuer = registration.Issuer,
                    Registration = registration,
                    Request = request
                };
@ -247,6 +252,7 @@ public class OpenIddictClientService
                var context = new ApplyCryptographyRequestContext(transaction)
                {
                    Address = address,
+                    Issuer = registration.Issuer,
                    Registration = registration,
                    Request = request
                };
@ -268,6 +274,7 @@ public class OpenIddictClientService
                var context = new ExtractCryptographyResponseContext(transaction)
                {
                    Address = address,
+                    Issuer = registration.Issuer,
                    Registration = registration,
                    Request = request
                };
@ -291,6 +298,7 @@ public class OpenIddictClientService
                var context = new HandleCryptographyResponseContext(transaction)
                {
                    Address = address,
+                    Issuer = registration.Issuer,
                    Registration = registration,
                    Request = request,
                    Response = response
--- a/src/OpenIddict.Validation/OpenIddictValidationHandlers.Discovery.cs
+++ b/src/OpenIddict.Validation/OpenIddictValidationHandlers.Discovery.cs
@ -131,8 +131,9 @@ public static partial class OpenIddictValidationHandlers
                    throw new ArgumentNullException(nameof(context));
                }

-                // The issuer returned in the discovery document must exactly match the URL used to access it.
+                // Note: the issuer returned in the discovery document must exactly match the URL used to access it.
                // See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation.
+
                var issuer = (string?) context.Response[Metadata.Issuer];
                if (string.IsNullOrEmpty(issuer))
                {
@ -154,6 +155,16 @@ public static partial class OpenIddictValidationHandlers
                    return default;
                }

+                if (context.Issuer is not null && context.Issuer != address)
+                {
+                    context.Reject(
+                        error: Errors.ServerError,
+                        description: SR.GetResourceString(SR.ID2098),
+                        uri: SR.FormatID8000(SR.ID2098));
+
+                    return default;
+                }
+
                context.Configuration.Issuer = address;

                return default;