Support for UserInfo Message Level Encryption (Microsoft.AspNetCore.Authentication.OpenIdConnect)

I am trying to authenticate my app against this authority and method that uses MLE (Message Level Encryption): https://developer.signicat.com/enterprise/docs/authentication/about-oidc.html#finnish-trust-network-ftn-specifics

Quote:

You should send your requests as a normal OIDC request (see exception below). The difference between a normal OIDC flow and MLE flow are:

The ID token and the response from user info is a nested JWT which is encrypted and signed. Decrypt it with your private key from the RSA pair given to Signicat. Deserialize the resulting signed JWT and verify the signature.

Extra emphasis on the “and the response from user info”.

I have managed to make the ID token handling to work by using a custom ISecurityTokenValidator like so:

options.SecurityTokenValidator = new SecurityTokenValidator();

However, your code fails when parsing the user token here, because the Payload is null (I guess because you need to decrypt the token to get the real payload):

https://github.com/dotnet/aspnetcore/blob/6427d9cc718f8093c506b62b6fd12544411b477f/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs#L902

(Note: I am getting this error with version 3.1.0 of your Microsoft.AspNetCore.Authentication.OpenIdConnect library, but the code seems the same in newer versions)

Describe the solution you’d like

I guess you should provide a way to decrypt the user info token as well.

options.UserInfoTokenValidator = new SecurityTokenValidator();

Additional context

Any ideas for a workaround are welcome. I am trying to replace the OpenIdConnectHandler with my own version now, but I am not sure this is possible… 😦 Also, the event callback for OnUserInformationReceived is called too late to help me do something with the encrypted token, it seems.