From 796a580c00c084cacc00074181fdf87a25dacfa6 Mon Sep 17 00:00:00 2001
From: 2d1a0ec3 <56817656+2d1a0ec3@users.noreply.github.com>
Date: Thu, 13 Apr 2023 15:57:25 +0200
Subject: [PATCH] Avoid resolving the server configuration when no access token
 was provided

---
 .../OpenIddictValidationHandlers.cs           | 66 +++++++++----------
 1 file changed, 33 insertions(+), 33 deletions(-)

diff --git a/src/OpenIddict.Validation/OpenIddictValidationHandlers.cs b/src/OpenIddict.Validation/OpenIddictValidationHandlers.cs
index df14a5b4..4e01c056 100644
--- a/src/OpenIddict.Validation/OpenIddictValidationHandlers.cs
+++ b/src/OpenIddict.Validation/OpenIddictValidationHandlers.cs
@@ -17,9 +17,9 @@ public static partial class OpenIddictValidationHandlers
         /*
          * Authentication processing:
          */
-        ResolveServerConfiguration.Descriptor,
         EvaluateValidatedTokens.Descriptor,
         ValidateRequiredTokens.Descriptor,
+        ResolveServerConfiguration.Descriptor,
         ValidateAccessToken.Descriptor,
 
         /*
@@ -38,36 +38,6 @@ public static partial class OpenIddictValidationHandlers
         .AddRange(Introspection.DefaultHandlers)
         .AddRange(Protection.DefaultHandlers);
 
-    /// <summary>
-    /// Contains the logic responsible for resolving the server configuration.
-    /// </summary>
-    public sealed class ResolveServerConfiguration : IOpenIddictValidationHandler<ProcessAuthenticationContext>
-    {
-        /// <summary>
-        /// Gets the default descriptor definition assigned to this handler.
-        /// </summary>
-        public static OpenIddictValidationHandlerDescriptor Descriptor { get; }
-            = OpenIddictValidationHandlerDescriptor.CreateBuilder<ProcessAuthenticationContext>()
-                .UseSingletonHandler<ResolveServerConfiguration>()
-                .SetOrder(int.MinValue + 100_000)
-                .SetType(OpenIddictValidationHandlerType.BuiltIn)
-                .Build();
-
-        /// <inheritdoc/>
-        public async ValueTask HandleAsync(ProcessAuthenticationContext context)
-        {
-            if (context is null)
-            {
-                throw new ArgumentNullException(nameof(context));
-            }
-
-            context.Configuration ??= await context.Options.ConfigurationManager
-                .GetConfigurationAsync(context.CancellationToken)
-                .WaitAsync(context.CancellationToken) ??
-                throw new InvalidOperationException(SR.GetResourceString(SR.ID0140));
-        }
-    }
-
     /// <summary>
     /// Contains the logic responsible for selecting the token types that should be validated.
     /// </summary>
@@ -79,7 +49,7 @@ public static partial class OpenIddictValidationHandlers
         public static OpenIddictValidationHandlerDescriptor Descriptor { get; }
             = OpenIddictValidationHandlerDescriptor.CreateBuilder<ProcessAuthenticationContext>()
                 .UseSingletonHandler<EvaluateValidatedTokens>()
-                .SetOrder(ResolveServerConfiguration.Descriptor.Order + 1_000)
+                .SetOrder(int.MinValue + 100_000)
                 .SetType(OpenIddictValidationHandlerType.BuiltIn)
                 .Build();
 
@@ -151,6 +121,36 @@ public static partial class OpenIddictValidationHandlers
         }
     }
 
+    /// <summary>
+    /// Contains the logic responsible for resolving the server configuration.
+    /// </summary>
+    public sealed class ResolveServerConfiguration : IOpenIddictValidationHandler<ProcessAuthenticationContext>
+    {
+        /// <summary>
+        /// Gets the default descriptor definition assigned to this handler.
+        /// </summary>
+        public static OpenIddictValidationHandlerDescriptor Descriptor { get; }
+            = OpenIddictValidationHandlerDescriptor.CreateBuilder<ProcessAuthenticationContext>()
+                .UseSingletonHandler<ResolveServerConfiguration>()
+                .SetOrder(ValidateRequiredTokens.Descriptor.Order + 1_000)
+                .SetType(OpenIddictValidationHandlerType.BuiltIn)
+                .Build();
+
+        /// <inheritdoc/>
+        public async ValueTask HandleAsync(ProcessAuthenticationContext context)
+        {
+            if (context is null)
+            {
+                throw new ArgumentNullException(nameof(context));
+            }
+
+            context.Configuration ??= await context.Options.ConfigurationManager
+                .GetConfigurationAsync(context.CancellationToken)
+                .WaitAsync(context.CancellationToken) ??
+                throw new InvalidOperationException(SR.GetResourceString(SR.ID0140));
+        }
+    }
+
     /// <summary>
     /// Contains the logic responsible for ensuring a token was correctly resolved from the context.
     /// </summary>
@@ -168,7 +168,7 @@ public static partial class OpenIddictValidationHandlers
             = OpenIddictValidationHandlerDescriptor.CreateBuilder<ProcessAuthenticationContext>()
                 .AddFilter<RequireAccessTokenValidated>()
                 .UseScopedHandler<ValidateAccessToken>()
-                .SetOrder(ValidateRequiredTokens.Descriptor.Order + 1_000)
+                .SetOrder(ResolveServerConfiguration.Descriptor.Order + 1_000)
                 .SetType(OpenIddictValidationHandlerType.BuiltIn)
                 .Build();