diff --git a/src/OpenIddict.Client/OpenIddictClientHandlers.Discovery.cs b/src/OpenIddict.Client/OpenIddictClientHandlers.Discovery.cs index f7ad7c93..c0f0a15a 100644 --- a/src/OpenIddict.Client/OpenIddictClientHandlers.Discovery.cs +++ b/src/OpenIddict.Client/OpenIddictClientHandlers.Discovery.cs @@ -151,8 +151,9 @@ public static partial class OpenIddictClientHandlers throw new ArgumentNullException(nameof(context)); } - // The issuer returned in the discovery document must exactly match the URL used to access it. - // See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationClient. + // Note: the issuer returned in the discovery document must exactly match the URL used to access it. + // See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation. + var issuer = (string?) context.Response[Metadata.Issuer]; if (string.IsNullOrEmpty(issuer)) { @@ -174,6 +175,16 @@ public static partial class OpenIddictClientHandlers return default; } + if (context.Issuer is not null && context.Issuer != address) + { + context.Reject( + error: Errors.ServerError, + description: SR.GetResourceString(SR.ID2098), + uri: SR.FormatID8000(SR.ID2098)); + + return default; + } + context.Configuration.Issuer = address; return default; diff --git a/src/OpenIddict.Client/OpenIddictClientService.cs b/src/OpenIddict.Client/OpenIddictClientService.cs index a9384494..42356489 100644 --- a/src/OpenIddict.Client/OpenIddictClientService.cs +++ b/src/OpenIddict.Client/OpenIddictClientService.cs @@ -75,6 +75,7 @@ public class OpenIddictClientService var context = new PrepareConfigurationRequestContext(transaction) { Address = address, + Issuer = registration.Issuer, Registration = registration, Request = request }; @@ -96,6 +97,7 @@ public class OpenIddictClientService var context = new ApplyConfigurationRequestContext(transaction) { Address = address, + Issuer = registration.Issuer, Registration = registration, Request = request }; @@ -117,6 +119,7 @@ public class OpenIddictClientService var context = new ExtractConfigurationResponseContext(transaction) { Address = address, + Issuer = registration.Issuer, Registration = registration, Request = request }; @@ -140,6 +143,7 @@ public class OpenIddictClientService var context = new HandleConfigurationResponseContext(transaction) { Address = address, + Issuer = registration.Issuer, Registration = registration, Request = request, Response = response @@ -226,6 +230,7 @@ public class OpenIddictClientService var context = new PrepareCryptographyRequestContext(transaction) { Address = address, + Issuer = registration.Issuer, Registration = registration, Request = request }; @@ -247,6 +252,7 @@ public class OpenIddictClientService var context = new ApplyCryptographyRequestContext(transaction) { Address = address, + Issuer = registration.Issuer, Registration = registration, Request = request }; @@ -268,6 +274,7 @@ public class OpenIddictClientService var context = new ExtractCryptographyResponseContext(transaction) { Address = address, + Issuer = registration.Issuer, Registration = registration, Request = request }; @@ -291,6 +298,7 @@ public class OpenIddictClientService var context = new HandleCryptographyResponseContext(transaction) { Address = address, + Issuer = registration.Issuer, Registration = registration, Request = request, Response = response diff --git a/src/OpenIddict.Validation/OpenIddictValidationHandlers.Discovery.cs b/src/OpenIddict.Validation/OpenIddictValidationHandlers.Discovery.cs index e316d05a..df8d2e3f 100644 --- a/src/OpenIddict.Validation/OpenIddictValidationHandlers.Discovery.cs +++ b/src/OpenIddict.Validation/OpenIddictValidationHandlers.Discovery.cs @@ -131,8 +131,9 @@ public static partial class OpenIddictValidationHandlers throw new ArgumentNullException(nameof(context)); } - // The issuer returned in the discovery document must exactly match the URL used to access it. + // Note: the issuer returned in the discovery document must exactly match the URL used to access it. // See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation. + var issuer = (string?) context.Response[Metadata.Issuer]; if (string.IsNullOrEmpty(issuer)) { @@ -154,6 +155,16 @@ public static partial class OpenIddictValidationHandlers return default; } + if (context.Issuer is not null && context.Issuer != address) + { + context.Reject( + error: Errors.ServerError, + description: SR.GetResourceString(SR.ID2098), + uri: SR.FormatID8000(SR.ID2098)); + + return default; + } + context.Configuration.Issuer = address; return default;