Xabaril
OpenIdConnectServer health check became too strict
What happened: Commit https://github.com/Xabaril/AspNetCore.Diagnostics.HealthChecks/commit/20d236d00142c555566f36fc8f07e71409bc0085 by @cieciurm introduced additional OpenID Connect checks that are too specific (meant for Dynamic OpenID providers). Because of this, after updating the package from version 6.x to latest 8.x, the check is now failing: Invalid discovery response - 'response_types_supported' must contain the following values: code,id_token!. This happens because of lines 34 and 38, here: https://github.com/Xabaril/AspNetCore.Diagnostics.HealthChecks/blob/master/src/HealthChecks.OpenIdConnectServer/DiscoveryEndpointResponse.cs
What you expected to happen: According to https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata,
response_types_supported: REQUIRED. JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID Providers MUST support the code, id_token, and the id_token token Response Type values.
This means that, we must not fail this check for standard OpenId providers which are not required to support id_token and id_token token and they won't if they disable the obsolete and no longer recommended implicit flow (https://oauth.net/2/grant-types/implicit/).
Those response types are specific to this flow: https://openid.net/specs/openid-connect-core-1_0.html#Authentication
How to reproduce it (as minimally and precisely as possible): Run the OpenIdConnectServer health check against a standard OpenID provider that doesn't have implicit flow enabled. In our case, we developed this based on https://github.com/openiddict/openiddict-core and only activated the authorization code and hybrid flows.
Environment:
- .NET Core version 8
- Healthchecks version 8.0.0
