id_token signature validation in OpenIdConnectHandler in case of authorization code flow

[Riff451]

Hello,
I've noticed that the OpenIdConnectHandler is setting TokenValidationParameters.RequireSignedTokens to false in case of authorization code flow as per OIDC spec:

aspnetcore/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs

Lines 685 to 687 in 2924ca2

	// no need to validate signature when token is received using "code flow" as per spec
	// [http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation].
	validationParameters.RequireSignedTokens = false;

However the JwtSecurityTokenHandler.ValidateSignature() method that, if I'm not wrong, eventually gets called, validates the signature when the token is signed even if TokenValidationParameters.RequireSignedTokens is false.

Am I missing something?
Is this something expected in the OpenIdConnectHandler?

Thank you very much.

[adityamandaleeka]

@HaoK Not sure if you ever saw this one. Should this be in 8 planning?

Thanks for contacting us.
We're moving this issue to the .NET 8 Planning milestone for future evaluation / consideration. Because it's not immediately obvious that this is a bug in our framework, we would like to keep this around to collect more feedback, which can later help us determine the impact of it. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[mikekistler]

Hi. Thanks for contacting us. We're closing this issue as there was not much community interest in this ask for quite a while now. You can learn more about our triage process and how we handle issues by reading our Triage Process writeup.