Update the TypeValidator custom delegate to avoid throwing when the JWT token has no "typ" header but contains a "token_usage" claim

6 years ago · 682af18392
4 changed files with 18 additions and 14 deletions
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.cs
@ -451,7 +451,7 @@ namespace OpenIddict.Server
                {
                    // If no specific token type is expected, accept all token types at this stage.
                    // Additional filtering can be made based on the resolved/actual token type.
-                    var type when string.IsNullOrEmpty(type) => Array.Empty<string>(),
+                    var type when string.IsNullOrEmpty(type) => null,

                    // For access tokens, both "at+jwt" and "application/at+jwt" are valid.
                    TokenTypeHints.AccessToken => new[]
--- a/src/OpenIddict.Server/OpenIddictServerOptions.cs
+++ b/src/OpenIddict.Server/OpenIddictServerOptions.cs
@ -121,11 +121,6 @@ namespace OpenIddict.Server
            // This validator overrides the default logic used by IdentityModel to resolve the type from this claim.
            TypeValidator = (type, token, parameters) =>
            {
-                if (string.IsNullOrEmpty(type))
-                {
-                    throw new SecurityTokenInvalidTypeException("The 'typ' header of the JWT token cannot be null or empty.");
-                }
-
                // If available, try to resolve the actual type from the "token_usage" claim.
                if (((JsonWebToken) token).TryGetPayloadValue(OpenIddictConstants.Claims.TokenUsage, out string usage))
                {
@ -138,7 +133,14 @@ namespace OpenIddict.Server
                    };
                }

-                // Unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons.
+                // At this point, throw an exception if the type cannot be resolved from the "typ" header
+                // (provided via the type delegate parameter) or inferred from the token_usage claim.
+                if (string.IsNullOrEmpty(type))
+                {
+                    throw new SecurityTokenInvalidTypeException("The type of the JWT token cannot be resolved or inferred.");
+                }
+
+                // Note: unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons.
                if (parameters.ValidTypes != null && parameters.ValidTypes.Any() &&
                   !parameters.ValidTypes.Contains(type, StringComparer.OrdinalIgnoreCase))
                {
--- a/src/OpenIddict.Validation/OpenIddictValidationHandlers.cs
+++ b/src/OpenIddict.Validation/OpenIddictValidationHandlers.cs
@ -238,7 +238,7 @@ namespace OpenIddict.Validation
                {
                    // If no specific token type is expected, accept all token types at this stage.
                    // Additional filtering can be made based on the resolved/actual token type.
-                    var type when string.IsNullOrEmpty(type) => Array.Empty<string>(),
+                    var type when string.IsNullOrEmpty(type) => null,

                    // For access tokens, both "at+jwt" and "application/at+jwt" are valid.
                    TokenTypeHints.AccessToken => new[]
--- a/src/OpenIddict.Validation/OpenIddictValidationOptions.cs
+++ b/src/OpenIddict.Validation/OpenIddictValidationOptions.cs
@ -118,11 +118,6 @@ namespace OpenIddict.Validation
            // This validator overrides the default logic used by IdentityModel to resolve the type from this claim.
            TypeValidator = (type, token, parameters) =>
            {
-                if (string.IsNullOrEmpty(type))
-                {
-                    throw new SecurityTokenInvalidTypeException("The 'typ' header of the JWT token cannot be null or empty.");
-                }
-
                // If available, try to resolve the actual type from the "token_usage" claim.
                if (((JsonWebToken) token).TryGetPayloadValue(Claims.TokenUsage, out string usage))
                {
@ -135,7 +130,14 @@ namespace OpenIddict.Validation
                    };
                }

-                // Unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons.
+                // At this point, throw an exception if the type cannot be resolved from the "typ" header
+                // (provided via the type delegate parameter) or inferred from the token_usage claim.
+                if (string.IsNullOrEmpty(type))
+                {
+                    throw new SecurityTokenInvalidTypeException("The type of the JWT token cannot be resolved or inferred.");
+                }
+
+                // Note: unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons.
                if (parameters.ValidTypes != null && parameters.ValidTypes.Any() &&
                   !parameters.ValidTypes.Contains(type, StringComparer.OrdinalIgnoreCase))
                {