Introduce a new dynamic option to disable issuer parameter validation and disable it for Google

src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs

@@ -22,6 +22,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
         /*
          * Authentication processing:
          */
+        DisableIssuerParameterValidation.Descriptor,
         ValidateRedirectionRequestSignature.Descriptor,
         HandleNonStandardFrontchannelErrorResponse.Descriptor,
         ValidateNonStandardParameters.Descriptor,
@@ -68,6 +69,45 @@ public static partial class OpenIddictClientWebIntegrationHandlers
         .. UserInfo.DefaultHandlers
     ];
 
+    /// <summary>
+    /// Contains the logic responsible for disabling the issuer parameter validation for the providers that require it.
+    /// </summary>
+    public sealed class DisableIssuerParameterValidation : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    {
+        /// <summary>
+        /// Gets the default descriptor definition assigned to this handler.
+        /// </summary>
+        public static OpenIddictClientHandlerDescriptor Descriptor { get; }
+            = OpenIddictClientHandlerDescriptor.CreateBuilder<ProcessAuthenticationContext>()
+                .UseSingletonHandler<DisableIssuerParameterValidation>()
+                .SetOrder(ValidateIssuerParameter.Descriptor.Order - 500)
+                .SetType(OpenIddictClientHandlerType.BuiltIn)
+                .Build();
+
+        /// <inheritdoc/>
+        public ValueTask HandleAsync(ProcessAuthenticationContext context)
+        {
+            ArgumentNullException.ThrowIfNull(context);
+
+            context.DisableIssuerParameterValidation = context.Registration.ProviderType switch
+            {
+                // Google is currently rolling out a change that causes the "iss" authorization response
+                // parameter to be returned without the "authorization_response_iss_parameter_supported"
+                // flag being advertised in the provider metadata. Since OpenIddict rejects authorization
+                // responses that contain an issuer if "authorization_response_iss_parameter_supported" is
+                // not explicitly set to true, validation must be disabled until the deployment is complete.
+                //
+                // See https://github.com/openiddict/openiddict-core/issues/2428 for more information.
+                ProviderTypes.Google when context.Request.HasParameter(Parameters.Iss) &&
+                    context.Configuration.AuthorizationResponseIssParameterSupported is not true => true,
+
+                _ => context.DisableIssuerParameterValidation
+            };
+
+            return ValueTask.CompletedTask;
+        }
+    }
+
     /// <summary>
     /// Contains the logic responsible for validating the signature or message authentication
     /// code attached to the redirection request for the providers that require it.

src/OpenIddict.Client/OpenIddictClientEvents.cs

@@ -1012,6 +1012,14 @@ public OpenIddictRequest Request
         /// </remarks>
         public bool DisableFrontchannelIdentityTokenNonceValidation { get; set; }
 
+        /// <summary>
+        /// Gets or sets a boolean indicating whether issuer parameter validation should be disabled.
+        /// </summary>
+        /// <remarks>
+        /// Note: overriding the value of this property is generally not recommended.
+        /// </remarks>
+        public bool DisableIssuerParameterValidation { get; set; }
+
         /// <summary>
         /// Gets or sets a boolean indicating whether userinfo retrieval should be disabled.
         /// </summary>

src/OpenIddict.Client/OpenIddictClientExtensions.cs

@@ -50,6 +50,7 @@ public static OpenIddictClientBuilder AddClient(this OpenIddictBuilder builder)
         builder.Services.TryAddSingleton<RequireIntrospectionClientAssertionGenerated>();
         builder.Services.TryAddSingleton<RequireIntrospectionRequest>();
         builder.Services.TryAddSingleton<RequireIssuedTokenValidated>();
+        builder.Services.TryAddSingleton<RequireIssuerParameterValidationEnabled>();
         builder.Services.TryAddSingleton<RequireLoginStateTokenGenerated>();
         builder.Services.TryAddSingleton<RequireLogoutStateTokenGenerated>();
         builder.Services.TryAddSingleton<RequireJsonWebTokenFormat>();

src/OpenIddict.Client/OpenIddictClientHandlerFilters.cs

@@ -266,6 +266,20 @@ public ValueTask<bool> IsActiveAsync(ProcessAuthenticationContext context)
         }
     }
 
+    /// <summary>
+    /// Represents a filter that excludes the associated handlers if issuer parameter validation was disabled.
+    /// </summary>
+    public sealed class RequireIssuerParameterValidationEnabled : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
+    {
+        /// <inheritdoc/>
+        public ValueTask<bool> IsActiveAsync(ProcessAuthenticationContext context)
+        {
+            ArgumentNullException.ThrowIfNull(context);
+
+            return new(!context.DisableIssuerParameterValidation);
+        }
+    }
+
     /// <summary>
     /// Represents a filter that excludes the associated handlers if the selected token format is not JSON Web Token.
     /// </summary>

src/OpenIddict.Client/OpenIddictClientHandlers.cs

@@ -1171,6 +1171,7 @@ public sealed class ValidateIssuerParameter : IOpenIddictClientHandler<ProcessAu
         /// </summary>
         public static OpenIddictClientHandlerDescriptor Descriptor { get; }
             = OpenIddictClientHandlerDescriptor.CreateBuilder<ProcessAuthenticationContext>()
+                .AddFilter<RequireIssuerParameterValidationEnabled>()
                 .AddFilter<RequireRedirectionRequest>()
                 .UseSingletonHandler<ValidateIssuerParameter>()
                 .SetOrder(ResolveClientRegistrationFromStateToken.Descriptor.Order + 1_000)