Override the default TLS client certificate selectors to support using certificates that don't meet the default requirements for specific providers

Author: kevinchalet

src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationConfiguration.cs

@@ -5,7 +5,10 @@
  */
 
 using System.ComponentModel;
+using System.Security.Cryptography.X509Certificates;
 using Microsoft.Extensions.Options;
+using OpenIddict.Client.SystemNetHttp;
+using static OpenIddict.Client.WebIntegration.OpenIddictClientWebIntegrationConstants;
 
 namespace OpenIddict.Client.WebIntegration;
 
@@ -14,7 +17,8 @@ namespace OpenIddict.Client.WebIntegration;
 /// </summary>
 [EditorBrowsable(EditorBrowsableState.Advanced)]
 public sealed partial class OpenIddictClientWebIntegrationConfiguration : IConfigureOptions<OpenIddictClientOptions>,
-                                                                          IPostConfigureOptions<OpenIddictClientOptions>
+                                                                          IPostConfigureOptions<OpenIddictClientOptions>,
+                                                                          IPostConfigureOptions<OpenIddictClientSystemNetHttpOptions>
 {
     /// <inheritdoc/>
     public void Configure(OpenIddictClientOptions options)
@@ -47,6 +51,38 @@ public void PostConfigure(string? name, OpenIddictClientOptions options)
         });
     }
 
+    /// <inheritdoc/>
+    public void PostConfigure(string? name, OpenIddictClientSystemNetHttpOptions options)
+    {
+        if (options is null)
+        {
+            throw new ArgumentNullException(nameof(options));
+        }
+
+        // Override the default/user-defined selectors to support attaching TLS client
+        // certificates that don't meet the requirements enforced by default by OpenIddict.
+        options.SelfSignedTlsClientAuthenticationCertificateSelector = CreateSelector(options.SelfSignedTlsClientAuthenticationCertificateSelector);
+        options.TlsClientAuthenticationCertificateSelector = CreateSelector(options.TlsClientAuthenticationCertificateSelector);
+
+        static Func<OpenIddictClientRegistration, X509Certificate2?> CreateSelector(Func<OpenIddictClientRegistration, X509Certificate2?> selector)
+            => registration =>
+            {
+                var certificate = registration.ProviderType switch
+                {
+                    ProviderTypes.ProSantéConnect => registration.GetProSantéConnectSettings().SigningCertificate,
+
+                    _ => null
+                };
+
+                if (certificate is not null)
+                {
+                    return certificate;
+                }
+
+                return selector(registration);
+            };
+    }
+
     /// <summary>
     /// Amends the registration with the provider-specific configuration logic.
     /// </summary>

src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationExtensions.cs

@@ -7,6 +7,7 @@
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Options;
 using OpenIddict.Client;
+using OpenIddict.Client.SystemNetHttp;
 using OpenIddict.Client.WebIntegration;
 
 namespace Microsoft.Extensions.DependencyInjection;
@@ -40,6 +41,8 @@ public static OpenIddictClientWebIntegrationBuilder UseWebProviders(this OpenIdd
         // Note: TryAddEnumerable() is used here to ensure the initializers are registered only once.
         builder.Services.TryAddEnumerable(ServiceDescriptor.Singleton<
             IConfigureOptions<OpenIddictClientOptions>, OpenIddictClientWebIntegrationConfiguration>());
+        builder.Services.TryAddEnumerable(ServiceDescriptor.Singleton<
+            IPostConfigureOptions<OpenIddictClientSystemNetHttpOptions>, OpenIddictClientWebIntegrationConfiguration>());
 
         // Note: the IPostConfigureOptions<OpenIddictClientOptions> service responsible for populating
         // the client registrations MUST be registered before OpenIddictClientConfiguration to ensure