PingOne incompatible w/ .NET 9+ OIDC

[nwoolls]

Good afternoon. It seems that — OOTB — .NET 9 (and 10) and PingOne OIDC are incompatible. I've reproduced the issue here:

#9

This has also been reported here:

https://support.pingidentity.com/s/question/0D5UJ00000y5g4P0AQ/failure-with-oidc-using-aspnet-because-of-content-type

This workaround wasn't necessary w/ .NET 8, but with .NET 10 being released and .NET 8 reaching EOL in 1 year, I thought I'd raise this issue. It would be good to get this incompatibility addressed either by P1 (returning application/json) or, if you believe that your implementation follows RFC guidelines, reporting this to the .NET team. As you can see below, the first thing their implementation does when inspecting the response from the pushed authorization endpoint is check the content type:

    private async Task<string> GetPushedAuthorizationRequestUri(HttpResponseMessage parResponseMessage)
    {
        // Check content type
        var contentType = parResponseMessage.Content.Headers.ContentType;
        if (!(contentType?.MediaType?.Equals("application/json", StringComparison.OrdinalIgnoreCase) ?? false))
        {
            throw new InvalidOperationException("Invalid response from pushed authorization: content type is not application/json.");
        }

However, PingOne is returning a response with a content type of application/hal+json.

EDIT: it seems from the RFC that the response MUST use a content type of application/json, and that the implementation from PingOne is not compatible with the RFC: https://datatracker.ietf.org/doc/html/rfc9126#section-2.2-1

[nwoolls]

Please note that this seems to have been addressed by Ping in the PingOne OIDC implementation - case # 01140166. This may still be pending wider deployment but seems fixed in our environments.