The CIMD metadata document fetch was running in the outer
ValidateAuthorizationRequestContext pipeline, which only covers the
authorize endpoint. During token exchange, ValidateClientType runs
inside ProcessAuthenticationContext (before the outer pipeline handler)
and calls FindByClientIdAsync — which returns null because the CIMD
context was never populated for that request.
Move FetchClientIdMetadataDocument to target ProcessAuthenticationContext
with order between ValidateClientId and ValidateClientType. This ensures
the CIMD document is fetched for all endpoint types (authorize, token,
etc.) before the client type validation occurs.
Implement draft-ietf-oauth-client-id-metadata-document-00 support,
allowing OAuth clients to use an HTTPS URL as their client_id with
the server fetching a JSON metadata document from that URL.
- Add EnableClientIdMetadataDocumentSupport option and related config
- Create OpenIddict.Server.SystemNetHttp project for HTTP outbound
metadata document fetching (following Client.SystemNetHttp patterns)
- Modify handler pipeline: ValidateClientId sets CIMD flag when
FindByClientIdAsync returns null and client_id is a valid HTTPS URL
- Add CIMD bypasses to authentication, sign-in, and token generation
handlers that look up pre-registered applications
- Validate redirect_uri against fetched metadata document
- Advertise client_id_metadata_document_supported in discovery
- Update sandbox demonstrator with CIMD support and test endpoint
Thor Arne Johansen