From 7f85e5af9fcaeaa1e8b021b25dbceeb6d4b97a5d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Fri, 17 Jun 2022 03:26:29 +0200
Subject: [PATCH] Update the client to refresh the server configuration on
 SecurityTokenSignatureKeyNotFoundException

---
 .../OpenIddictClientHandlers.Protection.cs                | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/OpenIddict.Client/OpenIddictClientHandlers.Protection.cs b/src/OpenIddict.Client/OpenIddictClientHandlers.Protection.cs
index 049fd2a3..de89f99a 100644
--- a/src/OpenIddict.Client/OpenIddictClientHandlers.Protection.cs
+++ b/src/OpenIddict.Client/OpenIddictClientHandlers.Protection.cs
@@ -251,6 +251,14 @@ public static partial class OpenIddictClientHandlers
                 var result = await context.SecurityTokenHandler.ValidateTokenAsync(context.Token, context.TokenValidationParameters);
                 if (!result.IsValid)
                 {
+                    // If validation failed because of an unrecognized key identifier and a client
+                    // registration is available, inform the configuration manager that the configuration
+                    // MAY have be refreshed by sending a new discovery request to the authorization server.
+                    if (context.Registration is not null && result.Exception is SecurityTokenSignatureKeyNotFoundException)
+                    {
+                        context.Registration.ConfigurationManager.RequestRefresh();
+                    }
+
                     context.Logger.LogTrace(result.Exception, SR.GetResourceString(SR.ID6000), context.Token);
 
                     context.Reject(