Update all the token type validation delegates to assume that tokens that don't have a "typ" header are generic JSON Web Tokens

kevinchalet · kevinchalet · commit 55cd0e94a803 · 2025-06-09T23:57:04.000+02:00
diff --git a/src/OpenIddict.Client/OpenIddictClientOptions.cs b/src/OpenIddict.Client/OpenIddictClientOptions.cs
@@ -113,9 +113,15 @@ public sealed class OpenIddictClientOptions
         ClockSkew = TimeSpan.Zero,
         NameClaimType = Claims.Name,
         RoleClaimType = Claims.Role,
-        // Note: unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons.
         TypeValidator = static (type, token, parameters) =>
         {
+            // Assume that tokens that don't have an explicit "typ" header attached are generic JSON Web Tokens.
+            if (string.IsNullOrEmpty(type))
+            {
+                type = JsonWebTokenTypes.GenericJsonWebToken;
+            }
+
+            // Note: unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons.
             if (parameters.ValidTypes is not null && parameters.ValidTypes.Any() &&
                !parameters.ValidTypes.Contains(type, StringComparer.OrdinalIgnoreCase))
             {
diff --git a/src/OpenIddict.Client/OpenIddictClientRegistration.cs b/src/OpenIddict.Client/OpenIddictClientRegistration.cs
@@ -190,9 +190,15 @@ public sealed class OpenIddictClientRegistration
         ClockSkew = TimeSpan.Zero,
         NameClaimType = Claims.Name,
         RoleClaimType = Claims.Role,
-        // Note: unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons.
         TypeValidator = static (type, token, parameters) =>
         {
+            // Assume that tokens that don't have an explicit "typ" header attached are generic JSON Web Tokens.
+            if (string.IsNullOrEmpty(type))
+            {
+                type = JsonWebTokenTypes.GenericJsonWebToken;
+            }
+
+            // Note: unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons.
             if (parameters.ValidTypes is not null && parameters.ValidTypes.Any() &&
                !parameters.ValidTypes.Contains(type, StringComparer.OrdinalIgnoreCase))
             {
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Protection.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Protection.cs
@@ -119,6 +119,12 @@ TokenValidationParameters GetClientTokenValidationParameters()
                     {
                         TypeValidator = static (type, token, parameters) =>
                         {
+                            // Assume that tokens that don't have an explicit "typ" header attached are generic JSON Web Tokens.
+                            if (string.IsNullOrEmpty(type))
+                            {
+                                type = JsonWebTokenTypes.GenericJsonWebToken;
+                            }
+
                             // Note: unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons.
                             if (parameters.ValidTypes is not null && parameters.ValidTypes.Any() &&
                                !parameters.ValidTypes.Contains(type, StringComparer.OrdinalIgnoreCase))
diff --git a/src/OpenIddict.Server/OpenIddictServerOptions.cs b/src/OpenIddict.Server/OpenIddictServerOptions.cs
@@ -154,11 +154,10 @@ public sealed class OpenIddictServerOptions
                 };
             }
 
-            // At this point, throw an exception if the type cannot be resolved from the "typ" header
-            // (provided via the type delegate parameter) or inferred from the token_usage claim.
+            // Assume that tokens that don't have an explicit "typ" header attached are generic JSON Web Tokens.
             if (string.IsNullOrEmpty(type))
             {
-                throw new SecurityTokenInvalidTypeException(SR.GetResourceString(SR.ID0270));
+                type = JsonWebTokenTypes.GenericJsonWebToken;
             }
 
             // Note: unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons.
diff --git a/src/OpenIddict.Validation/OpenIddictValidationOptions.cs b/src/OpenIddict.Validation/OpenIddictValidationOptions.cs
@@ -185,11 +185,10 @@ public sealed class OpenIddictValidationOptions
                 };
             }
 
-            // At this point, throw an exception if the type cannot be resolved from the "typ" header
-            // (provided via the type delegate parameter) or inferred from the token_usage claim.
+            // Assume that tokens that don't have an explicit "typ" header attached are generic JSON Web Tokens.
             if (string.IsNullOrEmpty(type))
             {
-                throw new SecurityTokenInvalidTypeException(SR.GetResourceString(SR.ID0270));
+                type = JsonWebTokenTypes.GenericJsonWebToken;
             }
 
             // Note: unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons.

Original file line number	Diff line number	Diff line change
`@@ -119,6 +119,12 @@ TokenValidationParameters GetClientTokenValidationParameters()`
`119`	`119`	`{`
`120`	`120`	`TypeValidator = static (type, token, parameters) =>`
`121`	`121`	`{`
	`122`	`+ // Assume that tokens that don't have an explicit "typ" header attached are generic JSON Web Tokens.`
	`123`	`+ if (string.IsNullOrEmpty(type))`
	`124`	`+ {`
	`125`	`+ type = JsonWebTokenTypes.GenericJsonWebToken;`
	`126`	`+ }`
	`127`	`+`
`122`	`128`	`// Note: unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons.`
`123`	`129`	`if (parameters.ValidTypes is not null && parameters.ValidTypes.Any() &&`
`124`	`130`	`!parameters.ValidTypes.Contains(type, StringComparer.OrdinalIgnoreCase))`
Original file line number	Diff line number	Diff line change
`@@ -154,11 +154,10 @@ public sealed class OpenIddictServerOptions`
`154`	`154`	`};`
`155`	`155`	`}`
`156`	`156`
`157`		`- // At this point, throw an exception if the type cannot be resolved from the "typ" header`
`158`		`- // (provided via the type delegate parameter) or inferred from the token_usage claim.`
	`157`	`+ // Assume that tokens that don't have an explicit "typ" header attached are generic JSON Web Tokens.`
`159`	`158`	`if (string.IsNullOrEmpty(type))`
`160`	`159`	`{`
`161`		`- throw new SecurityTokenInvalidTypeException(SR.GetResourceString(SR.ID0270));`
	`160`	`+ type = JsonWebTokenTypes.GenericJsonWebToken;`
`162`	`161`	`}`
`163`	`162`
`164`	`163`	`// Note: unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons.`
Original file line number	Diff line number	Diff line change
`@@ -185,11 +185,10 @@ public sealed class OpenIddictValidationOptions`
`185`	`185`	`};`
`186`	`186`	`}`
`187`	`187`
`188`		`- // At this point, throw an exception if the type cannot be resolved from the "typ" header`
`189`		`- // (provided via the type delegate parameter) or inferred from the token_usage claim.`
	`188`	`+ // Assume that tokens that don't have an explicit "typ" header attached are generic JSON Web Tokens.`
`190`	`189`	`if (string.IsNullOrEmpty(type))`
`191`	`190`	`{`
`192`		`- throw new SecurityTokenInvalidTypeException(SR.GetResourceString(SR.ID0270));`
	`191`	`+ type = JsonWebTokenTypes.GenericJsonWebToken;`
`193`	`192`	`}`
`194`	`193`
`195`	`194`	`// Note: unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons.`