From 721fba7e6b01b099a0cefda73f5c2d461721fa7a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Tue, 6 Jan 2026 20:09:01 +0100
Subject: [PATCH] Use the new SHA256/SHA384/SHA512.HashData() polyfills

---
 Directory.Packages.props                      | 18 ++--
 .../OpenIddictHelpers.cs                      | 83 +++----------------
 .../OpenIddictClientModels.cs                 |  2 +-
 .../Managers/OpenIddictScopeManager.cs        |  2 +-
 4 files changed, 23 insertions(+), 82 deletions(-)

diff --git a/Directory.Packages.props b/Directory.Packages.props
index e0efa239..45eb5471 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -52,7 +52,7 @@
       Note: OpenIddict uses Polyfill to dynamically generate polyfills for types that are not available on
       some of the targeted TFMs (e.g Index, Range or nullable attributes on .NET Framework/.NET Standard).
     -->
-    <GlobalPackageReference Include="Polyfill" Condition=" '$(IncludePolyfills)' != 'false' " Version="9.5.0"           />
+    <GlobalPackageReference Include="Polyfill" Condition=" '$(IncludePolyfills)' != 'false' " Version="9.6.0"           />
   </ItemGroup>
 
   <!--
@@ -109,7 +109,7 @@
       Note: OpenIddict uses Polyfill to dynamically generate polyfills for types that are not available on
       some of the targeted TFMs (e.g Index, Range or nullable attributes on .NET Framework/.NET Standard).
     -->
-    <GlobalPackageReference Include="Polyfill" Condition=" '$(IncludePolyfills)' != 'false' " Version="9.5.0"           />
+    <GlobalPackageReference Include="Polyfill" Condition=" '$(IncludePolyfills)' != 'false' " Version="9.6.0"           />
   </ItemGroup>
 
   <!--
@@ -201,7 +201,7 @@
       Note: OpenIddict uses Polyfill to dynamically generate polyfills for types that are not available on
       some of the targeted TFMs (e.g Index, Range or nullable attributes on .NET Framework/.NET Standard).
     -->
-    <GlobalPackageReference Include="Polyfill" Condition=" '$(IncludePolyfills)' != 'false' " Version="9.5.0"           />
+    <GlobalPackageReference Include="Polyfill" Condition=" '$(IncludePolyfills)' != 'false' " Version="9.6.0"           />
   </ItemGroup>
 
   <!--
@@ -248,7 +248,7 @@
       Note: OpenIddict uses Polyfill to dynamically generate polyfills for types that are not available on
       some of the targeted TFMs (e.g Index, Range or nullable attributes on .NET Framework/.NET Standard).
     -->
-    <GlobalPackageReference Include="Polyfill" Condition=" '$(IncludePolyfills)' != 'false' " Version="9.5.0"   />
+    <GlobalPackageReference Include="Polyfill" Condition=" '$(IncludePolyfills)' != 'false' " Version="9.6.0"   />
   </ItemGroup>
 
   <!--
@@ -294,7 +294,7 @@
       Note: OpenIddict uses Polyfill to dynamically generate polyfills for types that are not available on
       some of the targeted TFMs (e.g Index, Range or nullable attributes on .NET Framework/.NET Standard).
     -->
-    <GlobalPackageReference Include="Polyfill" Condition=" '$(IncludePolyfills)' != 'false' " Version="9.5.0"    />
+    <GlobalPackageReference Include="Polyfill" Condition=" '$(IncludePolyfills)' != 'false' " Version="9.6.0"    />
   </ItemGroup>
 
   <!--
@@ -353,7 +353,7 @@
       Note: OpenIddict uses Polyfill to dynamically generate polyfills for types that are not available on
       some of the targeted TFMs (e.g Index, Range or nullable attributes on .NET Framework/.NET Standard).
     -->
-    <GlobalPackageReference Include="Polyfill" Condition=" '$(IncludePolyfills)' != 'false' " Version="9.5.0"  />
+    <GlobalPackageReference Include="Polyfill" Condition=" '$(IncludePolyfills)' != 'false' " Version="9.6.0"  />
   </ItemGroup>
 
   <!--
@@ -404,7 +404,7 @@
       Note: OpenIddict uses Polyfill to dynamically generate polyfills for types that are not available on
       some of the targeted TFMs (e.g Index, Range or nullable attributes on .NET Framework/.NET Standard).
     -->
-    <GlobalPackageReference Include="Polyfill" Condition=" '$(IncludePolyfills)' != 'false' " Version="9.5.0"  />
+    <GlobalPackageReference Include="Polyfill" Condition=" '$(IncludePolyfills)' != 'false' " Version="9.6.0"  />
   </ItemGroup>
 
   <!--
@@ -445,7 +445,7 @@
       Note: OpenIddict uses Polyfill to dynamically generate polyfills for types that are not available on
       some of the targeted TFMs (e.g Index, Range or nullable attributes on .NET Framework/.NET Standard).
     -->
-    <GlobalPackageReference Include="Polyfill" Condition=" '$(IncludePolyfills)' != 'false' " Version="9.5.0"  />
+    <GlobalPackageReference Include="Polyfill" Condition=" '$(IncludePolyfills)' != 'false' " Version="9.6.0"  />
   </ItemGroup>
 
   <!--
@@ -467,7 +467,7 @@
       Note: OpenIddict uses Polyfill to dynamically generate pstring?[]olyfills for types that are not available on
       some of the targeted TFMs (e.g Index, Range or nullable attributes on .NET Framework/.NET Standard).
     -->
-    <GlobalPackageReference Include="Polyfill" Condition=" '$(IncludePolyfills)' != 'false' " Version="9.5.0"  />
+    <GlobalPackageReference Include="Polyfill" Condition=" '$(IncludePolyfills)' != 'false' " Version="9.6.0"  />
   </ItemGroup>
 
 </Project>
diff --git a/shared/OpenIddict.Extensions/OpenIddictHelpers.cs b/shared/OpenIddict.Extensions/OpenIddictHelpers.cs
index 42bf09c7..7389ab07 100644
--- a/shared/OpenIddict.Extensions/OpenIddictHelpers.cs
+++ b/shared/OpenIddict.Extensions/OpenIddictHelpers.cs
@@ -527,33 +527,14 @@ internal static class OpenIddictHelpers
     /// </exception>
     public static byte[] ComputeSha256Hash(byte[] data)
     {
-        var algorithm = GetAlgorithmFromConfig() switch
+        using var algorithm = GetAlgorithmFromConfig() switch
         {
             SHA256 result => result,
             null => null,
             var result => throw new CryptographicException(SR.FormatID0351(result.GetType().FullName))
         };
 
-        // If no custom algorithm was registered, use either the static/one-shot HashData() API
-        // on platforms that support it or create a default instance provided by the BCL.
-        if (algorithm is null)
-        {
-#if SUPPORTS_ONE_SHOT_HASHING_METHODS
-            return SHA256.HashData(data);
-#else
-            algorithm = SHA256.Create();
-#endif
-        }
-
-        try
-        {
-            return algorithm.ComputeHash(data);
-        }
-
-        finally
-        {
-            algorithm.Dispose();
-        }
+        return algorithm is not null ? algorithm.ComputeHash(data) : SHA256.HashData(data);
 
         [UnconditionalSuppressMessage("Trimming", "IL2026",
             Justification = "The default implementation is always used when no custom algorithm was registered.")]
@@ -570,33 +551,14 @@ internal static class OpenIddictHelpers
     /// </exception>
     public static byte[] ComputeSha384Hash(byte[] data)
     {
-        var algorithm = GetAlgorithmFromConfig() switch
+        using var algorithm = GetAlgorithmFromConfig() switch
         {
             SHA384 result => result,
             null => null,
             var result => throw new CryptographicException(SR.FormatID0351(result.GetType().FullName))
         };
 
-        // If no custom algorithm was registered, use either the static/one-shot HashData() API
-        // on platforms that support it or create a default instance provided by the BCL.
-        if (algorithm is null)
-        {
-#if SUPPORTS_ONE_SHOT_HASHING_METHODS
-            return SHA384.HashData(data);
-#else
-            algorithm = SHA384.Create();
-#endif
-        }
-
-        try
-        {
-            return algorithm.ComputeHash(data);
-        }
-
-        finally
-        {
-            algorithm.Dispose();
-        }
+        return algorithm is not null ? algorithm.ComputeHash(data) : SHA384.HashData(data);
 
         [UnconditionalSuppressMessage("Trimming", "IL2026",
             Justification = "The default implementation is always used when no custom algorithm was registered.")]
@@ -613,33 +575,14 @@ internal static class OpenIddictHelpers
     /// </exception>
     public static byte[] ComputeSha512Hash(byte[] data)
     {
-        var algorithm = GetAlgorithmFromConfig() switch
+        using var algorithm = GetAlgorithmFromConfig() switch
         {
             SHA512 result => result,
             null => null,
             var result => throw new CryptographicException(SR.FormatID0351(result.GetType().FullName))
         };
 
-        // If no custom algorithm was registered, use either the static/one-shot HashData() API
-        // on platforms that support it or create a default instance provided by the BCL.
-        if (algorithm is null)
-        {
-#if SUPPORTS_ONE_SHOT_HASHING_METHODS
-            return SHA512.HashData(data);
-#else
-            algorithm = SHA512.Create();
-#endif
-        }
-
-        try
-        {
-            return algorithm.ComputeHash(data);
-        }
-
-        finally
-        {
-            algorithm.Dispose();
-        }
+        return algorithm is not null ? algorithm.ComputeHash(data) : SHA512.HashData(data);
 
         [UnconditionalSuppressMessage("Trimming", "IL2026",
             Justification = "The default implementation is always used when no custom algorithm was registered.")]
@@ -663,17 +606,15 @@ internal static class OpenIddictHelpers
             var result => throw new CryptographicException(SR.FormatID0351(result.GetType().FullName))
         };
 
-        // If no custom random number generator was registered, use either the static GetBytes() or
-        // Fill() APIs on platforms that support them or create a default instance provided by the BCL.
-        if (algorithm is null)
+        if (algorithm is not null)
         {
-            return RandomNumberGenerator.GetBytes(size / 8);
-        }
+            var array = new byte[size / 8];
+            algorithm.GetBytes(array);
 
-        var array = new byte[size / 8];
-        algorithm.GetBytes(array);
+            return array;
+        }
 
-        return array;
+        return RandomNumberGenerator.GetBytes(size / 8);
 
         [UnconditionalSuppressMessage("Trimming", "IL2026",
             Justification = "The default implementation is always used when no custom algorithm was registered.")]
diff --git a/src/OpenIddict.Client/OpenIddictClientModels.cs b/src/OpenIddict.Client/OpenIddictClientModels.cs
index 0a6fc86d..3132e9e8 100644
--- a/src/OpenIddict.Client/OpenIddictClientModels.cs
+++ b/src/OpenIddict.Client/OpenIddictClientModels.cs
@@ -26,7 +26,7 @@ public static class OpenIddictClientModels
         public CancellationToken CancellationToken { get; init; }
 
         /// <summary>
-        /// Gets or sets the nonce that was returned during the challenge operation.
+        /// Gets or sets the nonce that was returned during the challenge or sign-out operation.
         /// </summary>
         public required string Nonce { get; init; }
 
diff --git a/src/OpenIddict.Core/Managers/OpenIddictScopeManager.cs b/src/OpenIddict.Core/Managers/OpenIddictScopeManager.cs
index 7c5d6bfa..2b35cf8b 100644
--- a/src/OpenIddict.Core/Managers/OpenIddictScopeManager.cs
+++ b/src/OpenIddict.Core/Managers/OpenIddictScopeManager.cs
@@ -849,7 +849,7 @@ public class OpenIddictScopeManager<TScope> : IOpenIddictScopeManager where TSco
                 yield return new ValidationResult(SR.GetResourceString(SR.ID2044));
             }
 
-            else if (name!.Contains(Separators.Space[0]))
+            else if (name.Contains(Separators.Space[0]))
             {
                 yield return new ValidationResult(SR.GetResourceString(SR.ID2045));
             }