From e50cb8c62d9d42e146d470ac96f82bff345a0166 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Wed, 28 Feb 2024 17:26:50 +0100
Subject: [PATCH] Update the
 AttachDynamicPortToRedirectUri/AttachDynamicPortToPostLogoutRedirectUri
 handlers to no-op when the challenge/sign-out demands are handled via
 WebAuthenticationBroker

---
 .../OpenIddictClientSystemIntegrationHandlers.cs          | 8 ++++++++
 .../OpenIddictClientSystemIntegrationHttpListener.cs      | 7 +++++++
 2 files changed, 15 insertions(+)

diff --git a/src/OpenIddict.Client.SystemIntegration/OpenIddictClientSystemIntegrationHandlers.cs b/src/OpenIddict.Client.SystemIntegration/OpenIddictClientSystemIntegrationHandlers.cs
index c90a1f64..ae5120af 100644
--- a/src/OpenIddict.Client.SystemIntegration/OpenIddictClientSystemIntegrationHandlers.cs
+++ b/src/OpenIddict.Client.SystemIntegration/OpenIddictClientSystemIntegrationHandlers.cs
@@ -1599,6 +1599,10 @@ public static partial class OpenIddictClientSystemIntegrationHandlers
             = OpenIddictClientHandlerDescriptor.CreateBuilder<ProcessChallengeContext>()
                 .AddFilter<RequireInteractiveSession>()
                 .AddFilter<RequireInteractiveGrantType>()
+                // Note: only apply the dynamic port replacement logic if the callback request
+                // is going to be received by the system browser to ensure it doesn't apply to
+                // challenge demands handled via a web authentication broker are not affected.
+                .AddFilter<RequireSystemBrowser>()
                 .UseSingletonHandler<AttachDynamicPortToRedirectUri>()
                 .SetOrder(AttachRedirectUri.Descriptor.Order + 500)
                 .SetType(OpenIddictClientHandlerType.BuiltIn)
@@ -1775,6 +1779,10 @@ public static partial class OpenIddictClientSystemIntegrationHandlers
         public static OpenIddictClientHandlerDescriptor Descriptor { get; }
             = OpenIddictClientHandlerDescriptor.CreateBuilder<ProcessSignOutContext>()
                 .AddFilter<RequireInteractiveSession>()
+                // Note: only apply the dynamic port replacement logic if the callback request
+                // is going to be received by the system browser to ensure it doesn't apply to
+                // sign-out demands handled via a web authentication broker are not affected.
+                .AddFilter<RequireSystemBrowser>()
                 .UseSingletonHandler<AttachDynamicPortToPostLogoutRedirectUri>()
                 .SetOrder(AttachPostLogoutRedirectUri.Descriptor.Order + 500)
                 .SetType(OpenIddictClientHandlerType.BuiltIn)
diff --git a/src/OpenIddict.Client.SystemIntegration/OpenIddictClientSystemIntegrationHttpListener.cs b/src/OpenIddict.Client.SystemIntegration/OpenIddictClientSystemIntegrationHttpListener.cs
index 29c54c90..b890caf9 100644
--- a/src/OpenIddict.Client.SystemIntegration/OpenIddictClientSystemIntegrationHttpListener.cs
+++ b/src/OpenIddict.Client.SystemIntegration/OpenIddictClientSystemIntegrationHttpListener.cs
@@ -94,9 +94,16 @@ public sealed class OpenIddictClientSystemIntegrationHttpListener : BackgroundSe
         // Ignore exceptions indicating that the host is shutting down and return immediately.
         catch (OperationCanceledException) when (stoppingToken.IsCancellationRequested)
         {
+            _source.SetResult(result: null);
             return;
         }
 
+        catch (Exception exception) when (!OpenIddictHelpers.IsFatal(exception))
+        {
+            _source.SetResult(result: null);
+            throw;
+        }
+
         static (HttpListener Listener, int Port) CreateHttpListener(List<int> ports, CancellationToken cancellationToken)
         {
             // Note: HttpListener doesn't offer a native way to select a non-busy port from