From fa497f01ea67637beba20e340f333d5f2be28088 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Sat, 28 Jan 2023 16:49:48 +0100
Subject: [PATCH] Update the ValidateTokenEntry server event handler to buffer
 tokens before revoking them

---
 .../OpenIddictServerHandlers.Protection.cs        | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Protection.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Protection.cs
index 298f9c99..05cede50 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Protection.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Protection.cs
@@ -942,9 +942,22 @@ public static partial class OpenIddictServerHandlers
 
                     // Revoke all the token entries associated with the authorization,
                     // including the redeemed token that was used in the token request.
+
+                    // Note: the tokens are deliberately buffered before being marked
+                    // as revoked to prevent issues with providers that try to reuse the
+                    // connection opened to iterate the tokens instead of opening a new one.
+                    //
+                    // See https://github.com/openiddict/openiddict-core/issues/1658 for more information.
+                    List<object> tokens = new(capacity: 1);
+
                     await foreach (var token in _tokenManager.FindByAuthorizationIdAsync(identifier))
                     {
-                        await _tokenManager.TryRevokeAsync(token);
+                        tokens.Add(token);
+                    }
+
+                    for (var index = 0; index < tokens.Count; index++)
+                    {
+                        await _tokenManager.TryRevokeAsync(tokens[index]);
                     }
                 }
             }