From ded88a4289a55a2150bbc0422deb5a7617d81ff0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Tue, 27 Dec 2016 18:08:38 +0100
Subject: [PATCH] Remove the internal id_token_hint checks

---
 .../OpenIddictProvider.Authentication.cs      | 54 -------------------
 1 file changed, 54 deletions(-)

diff --git a/src/OpenIddict/OpenIddictProvider.Authentication.cs b/src/OpenIddict/OpenIddictProvider.Authentication.cs
index 71473c30..6c04ca07 100644
--- a/src/OpenIddict/OpenIddictProvider.Authentication.cs
+++ b/src/OpenIddict/OpenIddictProvider.Authentication.cs
@@ -6,8 +6,6 @@
 
 using System;
 using System.IO;
-using System.Linq;
-using System.Security.Claims;
 using System.Threading.Tasks;
 using AspNet.Security.OpenIdConnect.Extensions;
 using AspNet.Security.OpenIdConnect.Primitives;
@@ -273,58 +271,6 @@ namespace OpenIddict {
                 return;
             }
 
-            // Run additional checks for prompt=none requests.
-            if (string.Equals(context.Request.Prompt, "none", StringComparison.Ordinal)) {
-                // If the user is not authenticated, return an error to the client application.
-                // See http://openid.net/specs/openid-connect-core-1_0.html#Authenticates
-                if (!context.HttpContext.User.Identities.Any(identity => identity.IsAuthenticated)) {
-                    logger.LogError("The prompt=none authorization request was rejected because the user was not logged in.");
-
-                    context.Reject(
-                        error: OpenIdConnectConstants.Errors.LoginRequired,
-                        description: "The user must be authenticated.");
-
-                    return;
-                }
-
-                // Ensure that the authentication cookie contains the required NameIdentifier claim.
-                var identifier = context.HttpContext.User.GetClaim(ClaimTypes.NameIdentifier);
-                if (string.IsNullOrEmpty(identifier)) {
-                    logger.LogError("The prompt=none authorization request was rejected because the user session " +
-                                    "was invalid and didn't contain the mandatory ClaimTypes.NameIdentifier claim.");
-
-                    context.Reject(
-                        error: OpenIdConnectConstants.Errors.ServerError,
-                        description: "The authorization request cannot be processed.");
-
-                    return;
-                }
-
-                // Extract the principal contained in the id_token_hint parameter.
-                // If no principal can be extracted, an error is returned to the client application.
-                var principal = await context.HttpContext.Authentication.AuthenticateAsync(context.Options.AuthenticationScheme);
-                if (principal == null) {
-                    context.Reject(
-                        error: OpenIdConnectConstants.Errors.InvalidRequest,
-                        description: "The required id_token_hint parameter is missing.");
-
-                    return;
-                }
-
-                // Ensure the client application is listed as a valid audience in the identity token
-                // and that the identity token corresponds to the authenticated user.
-                if (!principal.HasClaim(OpenIdConnectConstants.Claims.Audience, context.Request.ClientId) ||
-                    !principal.HasClaim(ClaimTypes.NameIdentifier, identifier)) {
-                    logger.LogError("The prompt=none authorization request was rejected because the id_token_hint was invalid.");
-
-                    context.Reject(
-                        error: OpenIdConnectConstants.Errors.InvalidRequest,
-                        description: "The id_token_hint parameter is invalid.");
-
-                    return;
-                }
-            }
-
             context.Validate();
         }