From d7be53a3e7891f4d9f95bf93a0ccd566e347acd3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Tue, 12 Nov 2024 20:24:10 +0100
Subject: [PATCH] Eagerly abort introspection/revocation demands that don't
 have a token attached

---
 src/OpenIddict.Abstractions/OpenIddictResources.resx |  6 ++++++
 src/OpenIddict.Client/OpenIddictClientHandlers.cs    | 10 ++++++++++
 2 files changed, 16 insertions(+)

diff --git a/src/OpenIddict.Abstractions/OpenIddictResources.resx b/src/OpenIddict.Abstractions/OpenIddictResources.resx
index 0ab3e2479..4e260d063 100644
--- a/src/OpenIddict.Abstractions/OpenIddictResources.resx
+++ b/src/OpenIddict.Abstractions/OpenIddictResources.resx
@@ -1701,6 +1701,12 @@ To apply post-logout redirection responses, create a class implementing 'IOpenId
   <data name="ID0457" xml:space="preserve">
     <value>The '{0}' parameter cannot contain null or empty values.</value>
   </data>
+  <data name="ID0458" xml:space="preserve">
+    <value>A token must be specified when using introspection.</value>
+  </data>
+  <data name="ID0459" xml:space="preserve">
+    <value>A token must be specified when using revocation.</value>
+  </data>
   <data name="ID2000" xml:space="preserve">
     <value>The security token is missing.</value>
   </data>
diff --git a/src/OpenIddict.Client/OpenIddictClientHandlers.cs b/src/OpenIddict.Client/OpenIddictClientHandlers.cs
index f327891d2..5de69eb74 100644
--- a/src/OpenIddict.Client/OpenIddictClientHandlers.cs
+++ b/src/OpenIddict.Client/OpenIddictClientHandlers.cs
@@ -6171,6 +6171,11 @@ public ValueTask HandleAsync(ProcessIntrospectionContext context)
                 throw new ArgumentNullException(nameof(context));
             }
 
+            if (string.IsNullOrEmpty(context.Token))
+            {
+                throw new InvalidOperationException(SR.GetResourceString(SR.ID0458));
+            }
+
             if (context.Registration is null && string.IsNullOrEmpty(context.RegistrationId) &&
                 context.Issuer       is null && string.IsNullOrEmpty(context.ProviderName) &&
                 context.Options.Registrations.Count is not 1)
@@ -6841,6 +6846,11 @@ public ValueTask HandleAsync(ProcessRevocationContext context)
                 throw new ArgumentNullException(nameof(context));
             }
 
+            if (string.IsNullOrEmpty(context.Token))
+            {
+                throw new InvalidOperationException(SR.GetResourceString(SR.ID0459));
+            }
+
             if (context.Registration is null && string.IsNullOrEmpty(context.RegistrationId) &&
                 context.Issuer       is null && string.IsNullOrEmpty(context.ProviderName) &&
                 context.Options.Registrations.Count is not 1)