diff --git a/src/Security/Authentication/Core/src/Events/RemoteAuthenticationContext.cs b/src/Security/Authentication/Core/src/Events/RemoteAuthenticationContext.cs
index de21178a8eaa..757faf3b2496 100644
--- a/src/Security/Authentication/Core/src/Events/RemoteAuthenticationContext.cs
+++ b/src/Security/Authentication/Core/src/Events/RemoteAuthenticationContext.cs
@@ -35,7 +35,7 @@ protected RemoteAuthenticationContext(
         /// <summary>
         /// Gets or sets the <see cref="AuthenticationProperties"/>.
         /// </summary>
-        public virtual AuthenticationProperties Properties { get; set; }
+        public virtual AuthenticationProperties? Properties { get; set; }
 
         /// <summary>
         /// Calls success creating a ticket with the <see cref="Principal"/> and <see cref="Properties"/>.
diff --git a/src/Security/Authentication/Core/src/HandleRequestResult.cs b/src/Security/Authentication/Core/src/HandleRequestResult.cs
index 606517218d97..7fd664b080bf 100644
--- a/src/Security/Authentication/Core/src/HandleRequestResult.cs
+++ b/src/Security/Authentication/Core/src/HandleRequestResult.cs
@@ -52,7 +52,7 @@ public class HandleRequestResult : AuthenticateResult
         /// <param name="failure">The failure exception.</param>
         /// <param name="properties">Additional state values for the authentication session.</param>
         /// <returns>The result.</returns>
-        public static new HandleRequestResult Fail(Exception failure, AuthenticationProperties properties)
+        public static new HandleRequestResult Fail(Exception failure, AuthenticationProperties? properties)
         {
             return new HandleRequestResult() { Failure = failure, Properties = properties };
         }
@@ -71,7 +71,7 @@ public class HandleRequestResult : AuthenticateResult
         /// <param name="failureMessage">The failure message.</param>
         /// <param name="properties">Additional state values for the authentication session.</param>
         /// <returns>The result.</returns>
-        public static new HandleRequestResult Fail(string failureMessage, AuthenticationProperties properties)
+        public static new HandleRequestResult Fail(string failureMessage, AuthenticationProperties? properties)
             => Fail(new Exception(failureMessage), properties);
 
         /// <summary>
diff --git a/src/Security/Authentication/Core/src/IDataSerializer.cs b/src/Security/Authentication/Core/src/IDataSerializer.cs
index 74883f043c33..e8442c63dd06 100644
--- a/src/Security/Authentication/Core/src/IDataSerializer.cs
+++ b/src/Security/Authentication/Core/src/IDataSerializer.cs
@@ -23,7 +23,6 @@ public interface IDataSerializer<TModel>
         /// </summary>
         /// <param name="data">The bytes being deserialized.</param>
         /// <returns>The model.</returns>
-        [return: MaybeNull]
-        TModel Deserialize(byte[] data);
+        TModel? Deserialize(byte[] data);
     }
 }
diff --git a/src/Security/Authentication/Core/src/ISecureDataFormat.cs b/src/Security/Authentication/Core/src/ISecureDataFormat.cs
index 6b546101bb43..424dab21eb7e 100644
--- a/src/Security/Authentication/Core/src/ISecureDataFormat.cs
+++ b/src/Security/Authentication/Core/src/ISecureDataFormat.cs
@@ -31,8 +31,7 @@ public interface ISecureDataFormat<TData>
         /// </summary>
         /// <param name="protectedText">The data protected value.</param>
         /// <returns>An instance of <typeparamref name="TData"/>.</returns>
-        [return: MaybeNull]
-        TData Unprotect(string protectedText);
+        TData? Unprotect(string? protectedText);
 
         /// <summary>
         /// Unprotects the specified <paramref name="protectedText"/> using the specified <paramref name="purpose"/>.
@@ -40,7 +39,6 @@ public interface ISecureDataFormat<TData>
         /// <param name="protectedText">The data protected value.</param>
         /// <param name="purpose">The purpose.</param>
         /// <returns>An instance of <typeparamref name="TData"/>.</returns>
-        [return: MaybeNull]
-        TData Unprotect(string protectedText, string? purpose);
+        TData? Unprotect(string? protectedText, string? purpose);
     }
 }
diff --git a/src/Security/Authentication/Core/src/PublicAPI.Unshipped.txt b/src/Security/Authentication/Core/src/PublicAPI.Unshipped.txt
index bd12ce7a9be4..0d33d5fe9b63 100644
--- a/src/Security/Authentication/Core/src/PublicAPI.Unshipped.txt
+++ b/src/Security/Authentication/Core/src/PublicAPI.Unshipped.txt
@@ -1,3 +1,19 @@
 #nullable enable
 *REMOVED*Microsoft.AspNetCore.Authentication.AuthenticationSchemeOptions.ForwardDefaultSelector.get -> System.Func<Microsoft.AspNetCore.Http.HttpContext!, string!>?
 Microsoft.AspNetCore.Authentication.AuthenticationSchemeOptions.ForwardDefaultSelector.get -> System.Func<Microsoft.AspNetCore.Http.HttpContext!, string?>?
+Microsoft.AspNetCore.Authentication.IDataSerializer<TModel>.Deserialize(byte[]! data) -> TModel?
+Microsoft.AspNetCore.Authentication.ISecureDataFormat<TData>.Unprotect(string? protectedText) -> TData?
+Microsoft.AspNetCore.Authentication.ISecureDataFormat<TData>.Unprotect(string? protectedText, string? purpose) -> TData?
+Microsoft.AspNetCore.Authentication.SecureDataFormat<TData>.Unprotect(string? protectedText) -> TData?
+Microsoft.AspNetCore.Authentication.SecureDataFormat<TData>.Unprotect(string? protectedText, string? purpose) -> TData?
+static Microsoft.AspNetCore.Authentication.HandleRequestResult.Fail(System.Exception! failure, Microsoft.AspNetCore.Authentication.AuthenticationProperties? properties) -> Microsoft.AspNetCore.Authentication.HandleRequestResult!
+static Microsoft.AspNetCore.Authentication.HandleRequestResult.Fail(string! failureMessage, Microsoft.AspNetCore.Authentication.AuthenticationProperties? properties) -> Microsoft.AspNetCore.Authentication.HandleRequestResult!
+virtual Microsoft.AspNetCore.Authentication.RemoteAuthenticationContext<TOptions>.Properties.get -> Microsoft.AspNetCore.Authentication.AuthenticationProperties?
+*REMOVED*Microsoft.AspNetCore.Authentication.IDataSerializer<TModel>.Deserialize(byte[]! data) -> TModel
+*REMOVED*Microsoft.AspNetCore.Authentication.ISecureDataFormat<TData>.Unprotect(string! protectedText) -> TData
+*REMOVED*Microsoft.AspNetCore.Authentication.ISecureDataFormat<TData>.Unprotect(string! protectedText, string? purpose) -> TData
+*REMOVED*Microsoft.AspNetCore.Authentication.SecureDataFormat<TData>.Unprotect(string! protectedText) -> TData
+*REMOVED*Microsoft.AspNetCore.Authentication.SecureDataFormat<TData>.Unprotect(string! protectedText, string? purpose) -> TData
+*REMOVED*static Microsoft.AspNetCore.Authentication.HandleRequestResult.Fail(System.Exception! failure, Microsoft.AspNetCore.Authentication.AuthenticationProperties! properties) -> Microsoft.AspNetCore.Authentication.HandleRequestResult!
+*REMOVED*static Microsoft.AspNetCore.Authentication.HandleRequestResult.Fail(string! failureMessage, Microsoft.AspNetCore.Authentication.AuthenticationProperties! properties) -> Microsoft.AspNetCore.Authentication.HandleRequestResult!
+*REMOVED*virtual Microsoft.AspNetCore.Authentication.RemoteAuthenticationContext<TOptions>.Properties.get -> Microsoft.AspNetCore.Authentication.AuthenticationProperties!
diff --git a/src/Security/Authentication/Core/src/RemoteAuthenticationHandler.cs b/src/Security/Authentication/Core/src/RemoteAuthenticationHandler.cs
index 980966362795..2e7f46e989bf 100644
--- a/src/Security/Authentication/Core/src/RemoteAuthenticationHandler.cs
+++ b/src/Security/Authentication/Core/src/RemoteAuthenticationHandler.cs
@@ -145,7 +145,7 @@ public virtual async Task<bool> HandleRequestAsync()
             ticket.Properties.RedirectUri = null;
 
             // Mark which provider produced this identity so we can cross-check later in HandleAuthenticateAsync
-            ticketContext.Properties.Items[AuthSchemeKey] = Scheme.Name;
+            ticketContext.Properties!.Items[AuthSchemeKey] = Scheme.Name;
 
             await Events.TicketReceived(ticketContext);
 
diff --git a/src/Security/Authentication/Core/src/SecureDataFormat.cs b/src/Security/Authentication/Core/src/SecureDataFormat.cs
index d48b29921cc9..fd40a3288a0e 100644
--- a/src/Security/Authentication/Core/src/SecureDataFormat.cs
+++ b/src/Security/Authentication/Core/src/SecureDataFormat.cs
@@ -48,15 +48,13 @@ public string Protect(TData data, string? purpose)
         }
 
         /// <inheritdoc />
-        [return: MaybeNull]
-        public TData Unprotect(string protectedText)
+        public TData? Unprotect(string? protectedText)
         {
             return Unprotect(protectedText, purpose: null);
         }
 
         /// <inheritdoc />
-        [return: MaybeNull]
-        public TData Unprotect(string protectedText, string? purpose)
+        public TData? Unprotect(string? protectedText, string? purpose)
         {
             try
             {
diff --git a/src/Security/Authentication/Facebook/src/FacebookHandler.cs b/src/Security/Authentication/Facebook/src/FacebookHandler.cs
index dd72036fca27..e62a430003b5 100644
--- a/src/Security/Authentication/Facebook/src/FacebookHandler.cs
+++ b/src/Security/Authentication/Facebook/src/FacebookHandler.cs
@@ -33,10 +33,10 @@ public FacebookHandler(IOptionsMonitor<FacebookOptions> options, ILoggerFactory
         /// <inheritdoc />
         protected override async Task<AuthenticationTicket> CreateTicketAsync(ClaimsIdentity identity, AuthenticationProperties properties, OAuthTokenResponse tokens)
         {
-            var endpoint = QueryHelpers.AddQueryString(Options.UserInformationEndpoint, "access_token", tokens.AccessToken);
+            var endpoint = QueryHelpers.AddQueryString(Options.UserInformationEndpoint, "access_token", tokens.AccessToken!);
             if (Options.SendAppSecretProof)
             {
-                endpoint = QueryHelpers.AddQueryString(endpoint, "appsecret_proof", GenerateAppSecretProof(tokens.AccessToken));
+                endpoint = QueryHelpers.AddQueryString(endpoint, "appsecret_proof", GenerateAppSecretProof(tokens.AccessToken!));
             }
             if (Options.Fields.Count > 0)
             {
@@ -54,7 +54,7 @@ protected override async Task<AuthenticationTicket> CreateTicketAsync(ClaimsIden
                 var context = new OAuthCreatingTicketContext(new ClaimsPrincipal(identity), properties, Context, Scheme, Options, Backchannel, tokens, payload.RootElement);
                 context.RunClaimActions();
                 await Events.CreatingTicket(context);
-                return new AuthenticationTicket(context.Principal, context.Properties, Scheme.Name);
+                return new AuthenticationTicket(context.Principal!, context.Properties, Scheme.Name);
             }
         }
 
diff --git a/src/Security/Authentication/Facebook/src/Microsoft.AspNetCore.Authentication.Facebook.csproj b/src/Security/Authentication/Facebook/src/Microsoft.AspNetCore.Authentication.Facebook.csproj
index 4917be29c942..ece1e5408e9c 100644
--- a/src/Security/Authentication/Facebook/src/Microsoft.AspNetCore.Authentication.Facebook.csproj
+++ b/src/Security/Authentication/Facebook/src/Microsoft.AspNetCore.Authentication.Facebook.csproj
@@ -5,6 +5,7 @@
     <TargetFramework>$(DefaultNetCoreTargetFramework)</TargetFramework>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageTags>aspnetcore;authentication;security</PackageTags>
+    <Nullable>enable</Nullable>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/src/Security/Authentication/Facebook/src/PublicAPI.Unshipped.txt b/src/Security/Authentication/Facebook/src/PublicAPI.Unshipped.txt
index 7dc5c58110bf..5e666ed86460 100644
--- a/src/Security/Authentication/Facebook/src/PublicAPI.Unshipped.txt
+++ b/src/Security/Authentication/Facebook/src/PublicAPI.Unshipped.txt
@@ -1 +1,19 @@
 #nullable enable
+Microsoft.AspNetCore.Authentication.Facebook.FacebookHandler.FacebookHandler(Microsoft.Extensions.Options.IOptionsMonitor<Microsoft.AspNetCore.Authentication.Facebook.FacebookOptions!>! options, Microsoft.Extensions.Logging.ILoggerFactory! logger, System.Text.Encodings.Web.UrlEncoder! encoder, Microsoft.AspNetCore.Authentication.ISystemClock! clock) -> void
+Microsoft.AspNetCore.Authentication.Facebook.FacebookOptions.AppId.get -> string!
+Microsoft.AspNetCore.Authentication.Facebook.FacebookOptions.AppId.set -> void
+Microsoft.AspNetCore.Authentication.Facebook.FacebookOptions.AppSecret.get -> string!
+Microsoft.AspNetCore.Authentication.Facebook.FacebookOptions.AppSecret.set -> void
+Microsoft.AspNetCore.Authentication.Facebook.FacebookOptions.Fields.get -> System.Collections.Generic.ICollection<string!>!
+const Microsoft.AspNetCore.Authentication.Facebook.FacebookDefaults.AuthenticationScheme = "Facebook" -> string!
+override Microsoft.AspNetCore.Authentication.Facebook.FacebookHandler.CreateTicketAsync(System.Security.Claims.ClaimsIdentity! identity, Microsoft.AspNetCore.Authentication.AuthenticationProperties! properties, Microsoft.AspNetCore.Authentication.OAuth.OAuthTokenResponse! tokens) -> System.Threading.Tasks.Task<Microsoft.AspNetCore.Authentication.AuthenticationTicket!>!
+override Microsoft.AspNetCore.Authentication.Facebook.FacebookHandler.FormatScope() -> string!
+override Microsoft.AspNetCore.Authentication.Facebook.FacebookHandler.FormatScope(System.Collections.Generic.IEnumerable<string!>! scopes) -> string!
+static Microsoft.Extensions.DependencyInjection.FacebookAuthenticationOptionsExtensions.AddFacebook(this Microsoft.AspNetCore.Authentication.AuthenticationBuilder! builder) -> Microsoft.AspNetCore.Authentication.AuthenticationBuilder!
+static Microsoft.Extensions.DependencyInjection.FacebookAuthenticationOptionsExtensions.AddFacebook(this Microsoft.AspNetCore.Authentication.AuthenticationBuilder! builder, System.Action<Microsoft.AspNetCore.Authentication.Facebook.FacebookOptions!>! configureOptions) -> Microsoft.AspNetCore.Authentication.AuthenticationBuilder!
+static Microsoft.Extensions.DependencyInjection.FacebookAuthenticationOptionsExtensions.AddFacebook(this Microsoft.AspNetCore.Authentication.AuthenticationBuilder! builder, string! authenticationScheme, System.Action<Microsoft.AspNetCore.Authentication.Facebook.FacebookOptions!>! configureOptions) -> Microsoft.AspNetCore.Authentication.AuthenticationBuilder!
+static Microsoft.Extensions.DependencyInjection.FacebookAuthenticationOptionsExtensions.AddFacebook(this Microsoft.AspNetCore.Authentication.AuthenticationBuilder! builder, string! authenticationScheme, string! displayName, System.Action<Microsoft.AspNetCore.Authentication.Facebook.FacebookOptions!>! configureOptions) -> Microsoft.AspNetCore.Authentication.AuthenticationBuilder!
+static readonly Microsoft.AspNetCore.Authentication.Facebook.FacebookDefaults.AuthorizationEndpoint -> string!
+static readonly Microsoft.AspNetCore.Authentication.Facebook.FacebookDefaults.DisplayName -> string!
+static readonly Microsoft.AspNetCore.Authentication.Facebook.FacebookDefaults.TokenEndpoint -> string!
+static readonly Microsoft.AspNetCore.Authentication.Facebook.FacebookDefaults.UserInformationEndpoint -> string!
diff --git a/src/Security/Authentication/Google/src/GoogleChallengeProperties.cs b/src/Security/Authentication/Google/src/GoogleChallengeProperties.cs
index a2cfaef1d03a..d73ed11d457b 100644
--- a/src/Security/Authentication/Google/src/GoogleChallengeProperties.cs
+++ b/src/Security/Authentication/Google/src/GoogleChallengeProperties.cs
@@ -43,7 +43,7 @@ public GoogleChallengeProperties()
         /// Initializes a new instance of <see cref="GoogleChallengeProperties"/>.
         /// </summary>
         /// <inheritdoc />
-        public GoogleChallengeProperties(IDictionary<string, string> items)
+        public GoogleChallengeProperties(IDictionary<string, string?> items)
             : base(items)
         { }
 
@@ -51,14 +51,14 @@ public GoogleChallengeProperties(IDictionary<string, string> items)
         /// Initializes a new instance of <see cref="GoogleChallengeProperties"/>.
         /// </summary>
         /// <inheritdoc />
-        public GoogleChallengeProperties(IDictionary<string, string> items, IDictionary<string, object> parameters)
+        public GoogleChallengeProperties(IDictionary<string, string?> items, IDictionary<string, object?> parameters)
             : base(items, parameters)
         { }
 
         /// <summary>
         /// The "access_type" parameter value being used for a challenge request.
         /// </summary>
-        public string AccessType
+        public string? AccessType
         {
             get => GetParameter<string>(AccessTypeKey);
             set => SetParameter(AccessTypeKey, value);
@@ -67,7 +67,7 @@ public string AccessType
         /// <summary>
         /// The "approval_prompt" parameter value being used for a challenge request.
         /// </summary>
-        public string ApprovalPrompt
+        public string? ApprovalPrompt
         {
             get => GetParameter<string>(ApprovalPromptKey);
             set => SetParameter(ApprovalPromptKey, value);
@@ -85,7 +85,7 @@ public bool? IncludeGrantedScopes
         /// <summary>
         /// The "login_hint" parameter value being used for a challenge request.
         /// </summary>
-        public string LoginHint
+        public string? LoginHint
         {
             get => GetParameter<string>(LoginHintKey);
             set => SetParameter(LoginHintKey, value);
@@ -94,7 +94,7 @@ public string LoginHint
         /// <summary>
         /// The "prompt" parameter value being used for a challenge request.
         /// </summary>
-        public string Prompt
+        public string? Prompt
         {
             get => GetParameter<string>(PromptParameterKey);
             set => SetParameter(PromptParameterKey, value);
diff --git a/src/Security/Authentication/Google/src/GoogleHandler.cs b/src/Security/Authentication/Google/src/GoogleHandler.cs
index 44bc9ce63dbd..da8e0b447fa4 100644
--- a/src/Security/Authentication/Google/src/GoogleHandler.cs
+++ b/src/Security/Authentication/Google/src/GoogleHandler.cs
@@ -51,7 +51,7 @@ protected override async Task<AuthenticationTicket> CreateTicketAsync(
                 var context = new OAuthCreatingTicketContext(new ClaimsPrincipal(identity), properties, Context, Scheme, Options, Backchannel, tokens, payload.RootElement);
                 context.RunClaimActions();
                 await Events.CreatingTicket(context);
-                return new AuthenticationTicket(context.Principal, context.Properties, Scheme.Name);
+                return new AuthenticationTicket(context.Principal!, context.Properties, Scheme.Name);
             }
         }
 
@@ -76,7 +76,7 @@ protected override string BuildChallengeUrl(AuthenticationProperties properties,
             var state = Options.StateDataFormat.Protect(properties);
             queryStrings.Add("state", state);
 
-            var authorizationEndpoint = QueryHelpers.AddQueryString(Options.AuthorizationEndpoint, queryStrings);
+            var authorizationEndpoint = QueryHelpers.AddQueryString(Options.AuthorizationEndpoint, queryStrings!);
             return authorizationEndpoint;
         }
 
@@ -84,10 +84,10 @@ private static void AddQueryString<T>(
             IDictionary<string, string> queryStrings,
             AuthenticationProperties properties,
             string name,
-            Func<T, string> formatter,
+            Func<T, string?> formatter,
             T defaultValue)
         {
-            string value = null;
+            string? value;
             var parameterValue = properties.GetParameter<T>(name);
             if (parameterValue != null)
             {
@@ -111,7 +111,7 @@ private static void AddQueryString(
             IDictionary<string, string> queryStrings,
             AuthenticationProperties properties,
             string name,
-            string defaultValue = null)
+            string? defaultValue = null)
             => AddQueryString(queryStrings, properties, name, x => x, defaultValue);
     }
 }
diff --git a/src/Security/Authentication/Google/src/GoogleOptions.cs b/src/Security/Authentication/Google/src/GoogleOptions.cs
index 5c8937d383db..9cc743ef5329 100644
--- a/src/Security/Authentication/Google/src/GoogleOptions.cs
+++ b/src/Security/Authentication/Google/src/GoogleOptions.cs
@@ -40,6 +40,6 @@ public GoogleOptions()
         /// Set the value to offline if your application needs to refresh access tokens when the user is not present at the browser.
         /// </para>
         /// </summary>
-        public string AccessType { get; set; }
+        public string? AccessType { get; set; }
     }
 }
diff --git a/src/Security/Authentication/Google/src/Microsoft.AspNetCore.Authentication.Google.csproj b/src/Security/Authentication/Google/src/Microsoft.AspNetCore.Authentication.Google.csproj
index e50623e37bab..04e062a02be9 100644
--- a/src/Security/Authentication/Google/src/Microsoft.AspNetCore.Authentication.Google.csproj
+++ b/src/Security/Authentication/Google/src/Microsoft.AspNetCore.Authentication.Google.csproj
@@ -5,6 +5,7 @@
     <TargetFramework>$(DefaultNetCoreTargetFramework)</TargetFramework>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageTags>aspnetcore;authentication;security</PackageTags>
+    <Nullable>enable</Nullable>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/src/Security/Authentication/Google/src/PublicAPI.Unshipped.txt b/src/Security/Authentication/Google/src/PublicAPI.Unshipped.txt
index 7dc5c58110bf..905a0d62f0cd 100644
--- a/src/Security/Authentication/Google/src/PublicAPI.Unshipped.txt
+++ b/src/Security/Authentication/Google/src/PublicAPI.Unshipped.txt
@@ -1 +1,30 @@
 #nullable enable
+Microsoft.AspNetCore.Authentication.Google.GoogleChallengeProperties.AccessType.get -> string?
+Microsoft.AspNetCore.Authentication.Google.GoogleChallengeProperties.AccessType.set -> void
+Microsoft.AspNetCore.Authentication.Google.GoogleChallengeProperties.ApprovalPrompt.get -> string?
+Microsoft.AspNetCore.Authentication.Google.GoogleChallengeProperties.ApprovalPrompt.set -> void
+Microsoft.AspNetCore.Authentication.Google.GoogleChallengeProperties.GoogleChallengeProperties(System.Collections.Generic.IDictionary<string!, string?>! items) -> void
+Microsoft.AspNetCore.Authentication.Google.GoogleChallengeProperties.GoogleChallengeProperties(System.Collections.Generic.IDictionary<string!, string?>! items, System.Collections.Generic.IDictionary<string!, object?>! parameters) -> void
+Microsoft.AspNetCore.Authentication.Google.GoogleChallengeProperties.LoginHint.get -> string?
+Microsoft.AspNetCore.Authentication.Google.GoogleChallengeProperties.LoginHint.set -> void
+Microsoft.AspNetCore.Authentication.Google.GoogleChallengeProperties.Prompt.get -> string?
+Microsoft.AspNetCore.Authentication.Google.GoogleChallengeProperties.Prompt.set -> void
+Microsoft.AspNetCore.Authentication.Google.GoogleHandler.GoogleHandler(Microsoft.Extensions.Options.IOptionsMonitor<Microsoft.AspNetCore.Authentication.Google.GoogleOptions!>! options, Microsoft.Extensions.Logging.ILoggerFactory! logger, System.Text.Encodings.Web.UrlEncoder! encoder, Microsoft.AspNetCore.Authentication.ISystemClock! clock) -> void
+Microsoft.AspNetCore.Authentication.Google.GoogleOptions.AccessType.get -> string?
+Microsoft.AspNetCore.Authentication.Google.GoogleOptions.AccessType.set -> void
+const Microsoft.AspNetCore.Authentication.Google.GoogleDefaults.AuthenticationScheme = "Google" -> string!
+override Microsoft.AspNetCore.Authentication.Google.GoogleHandler.BuildChallengeUrl(Microsoft.AspNetCore.Authentication.AuthenticationProperties! properties, string! redirectUri) -> string!
+override Microsoft.AspNetCore.Authentication.Google.GoogleHandler.CreateTicketAsync(System.Security.Claims.ClaimsIdentity! identity, Microsoft.AspNetCore.Authentication.AuthenticationProperties! properties, Microsoft.AspNetCore.Authentication.OAuth.OAuthTokenResponse! tokens) -> System.Threading.Tasks.Task<Microsoft.AspNetCore.Authentication.AuthenticationTicket!>!
+static Microsoft.Extensions.DependencyInjection.GoogleExtensions.AddGoogle(this Microsoft.AspNetCore.Authentication.AuthenticationBuilder! builder) -> Microsoft.AspNetCore.Authentication.AuthenticationBuilder!
+static Microsoft.Extensions.DependencyInjection.GoogleExtensions.AddGoogle(this Microsoft.AspNetCore.Authentication.AuthenticationBuilder! builder, System.Action<Microsoft.AspNetCore.Authentication.Google.GoogleOptions!>! configureOptions) -> Microsoft.AspNetCore.Authentication.AuthenticationBuilder!
+static Microsoft.Extensions.DependencyInjection.GoogleExtensions.AddGoogle(this Microsoft.AspNetCore.Authentication.AuthenticationBuilder! builder, string! authenticationScheme, System.Action<Microsoft.AspNetCore.Authentication.Google.GoogleOptions!>! configureOptions) -> Microsoft.AspNetCore.Authentication.AuthenticationBuilder!
+static Microsoft.Extensions.DependencyInjection.GoogleExtensions.AddGoogle(this Microsoft.AspNetCore.Authentication.AuthenticationBuilder! builder, string! authenticationScheme, string! displayName, System.Action<Microsoft.AspNetCore.Authentication.Google.GoogleOptions!>! configureOptions) -> Microsoft.AspNetCore.Authentication.AuthenticationBuilder!
+static readonly Microsoft.AspNetCore.Authentication.Google.GoogleChallengeProperties.AccessTypeKey -> string!
+static readonly Microsoft.AspNetCore.Authentication.Google.GoogleChallengeProperties.ApprovalPromptKey -> string!
+static readonly Microsoft.AspNetCore.Authentication.Google.GoogleChallengeProperties.IncludeGrantedScopesKey -> string!
+static readonly Microsoft.AspNetCore.Authentication.Google.GoogleChallengeProperties.LoginHintKey -> string!
+static readonly Microsoft.AspNetCore.Authentication.Google.GoogleChallengeProperties.PromptParameterKey -> string!
+static readonly Microsoft.AspNetCore.Authentication.Google.GoogleDefaults.AuthorizationEndpoint -> string!
+static readonly Microsoft.AspNetCore.Authentication.Google.GoogleDefaults.DisplayName -> string!
+static readonly Microsoft.AspNetCore.Authentication.Google.GoogleDefaults.TokenEndpoint -> string!
+static readonly Microsoft.AspNetCore.Authentication.Google.GoogleDefaults.UserInformationEndpoint -> string!
diff --git a/src/Security/Authentication/OpenIdConnect/src/Events/AuthenticationFailedContext.cs b/src/Security/Authentication/OpenIdConnect/src/Events/AuthenticationFailedContext.cs
index a606b09720ea..4ac4ded97033 100644
--- a/src/Security/Authentication/OpenIdConnect/src/Events/AuthenticationFailedContext.cs
+++ b/src/Security/Authentication/OpenIdConnect/src/Events/AuthenticationFailedContext.cs
@@ -23,11 +23,11 @@ public AuthenticationFailedContext(HttpContext context, AuthenticationScheme sch
         /// <summary>
         /// Gets or sets the <see cref="OpenIdConnectMessage"/>.
         /// </summary>
-        public OpenIdConnectMessage ProtocolMessage { get; set; }
+        public OpenIdConnectMessage ProtocolMessage { get; set; } = default!;
 
         /// <summary>
         /// Gets or sets the exception associated with the failure.
         /// </summary>
-        public Exception Exception { get; set; }
+        public Exception Exception { get; set; } = default!;
     }
 }
diff --git a/src/Security/Authentication/OpenIdConnect/src/Events/AuthorizationCodeReceivedContext.cs b/src/Security/Authentication/OpenIdConnect/src/Events/AuthorizationCodeReceivedContext.cs
index 62f099a3cafb..0ce143d4288b 100644
--- a/src/Security/Authentication/OpenIdConnect/src/Events/AuthorizationCodeReceivedContext.cs
+++ b/src/Security/Authentication/OpenIdConnect/src/Events/AuthorizationCodeReceivedContext.cs
@@ -26,22 +26,22 @@ public AuthorizationCodeReceivedContext(
         /// <summary>
         /// Gets or sets the <see cref="OpenIdConnectMessage"/>.
         /// </summary>
-        public OpenIdConnectMessage ProtocolMessage { get; set; }
+        public OpenIdConnectMessage ProtocolMessage { get; set; } = default!;
 
         /// <summary>
         /// Gets or sets the <see cref="JwtSecurityToken"/> that was received in the authentication response, if any.
         /// </summary>
-        public JwtSecurityToken JwtSecurityToken { get; set; }
+        public JwtSecurityToken? JwtSecurityToken { get; set; }
 
         /// <summary>
         /// The request that will be sent to the token endpoint and is available for customization.
         /// </summary>
-        public OpenIdConnectMessage TokenEndpointRequest { get; set; }
+        public OpenIdConnectMessage? TokenEndpointRequest { get; set; }
 
         /// <summary>
         /// The configured communication channel to the identity provider for use when making custom requests to the token endpoint.
         /// </summary>
-        public HttpClient Backchannel { get; internal set; }
+        public HttpClient Backchannel { get; internal set; } = default!;
 
         /// <summary>
         /// If the developer chooses to redeem the code themselves then they can provide the resulting tokens here. This is the
@@ -49,7 +49,7 @@ public AuthorizationCodeReceivedContext(
         /// is required if one had not been previously received in the authorization response. An access token is optional
         /// if the handler is to contact the user-info endpoint.
         /// </summary>
-        public OpenIdConnectMessage TokenEndpointResponse { get; set; }
+        public OpenIdConnectMessage? TokenEndpointResponse { get; set; }
 
         /// <summary>
         /// Indicates if the developer choose to handle (or skip) the code redemption. If true then the handler will not attempt
diff --git a/src/Security/Authentication/OpenIdConnect/src/Events/MessageReceivedContext.cs b/src/Security/Authentication/OpenIdConnect/src/Events/MessageReceivedContext.cs
index db0c1385fbe9..362b07010606 100644
--- a/src/Security/Authentication/OpenIdConnect/src/Events/MessageReceivedContext.cs
+++ b/src/Security/Authentication/OpenIdConnect/src/Events/MessageReceivedContext.cs
@@ -19,17 +19,17 @@ public MessageReceivedContext(
             HttpContext context,
             AuthenticationScheme scheme,
             OpenIdConnectOptions options,
-            AuthenticationProperties properties)
+            AuthenticationProperties? properties)
             : base(context, scheme, options, properties) { }
 
         /// <summary>
         /// Gets or sets the <see cref="OpenIdConnectMessage"/>.
         /// </summary>
-        public OpenIdConnectMessage ProtocolMessage { get; set; }
+        public OpenIdConnectMessage ProtocolMessage { get; set; } = default!;
 
         /// <summary>
         /// Bearer Token. This will give the application an opportunity to retrieve a token from an alternative location.
         /// </summary>
-        public string Token { get; set; }
+        public string? Token { get; set; }
     }
 }
diff --git a/src/Security/Authentication/OpenIdConnect/src/Events/RedirectContext.cs b/src/Security/Authentication/OpenIdConnect/src/Events/RedirectContext.cs
index 1971fb979a05..764e8c18f02d 100644
--- a/src/Security/Authentication/OpenIdConnect/src/Events/RedirectContext.cs
+++ b/src/Security/Authentication/OpenIdConnect/src/Events/RedirectContext.cs
@@ -27,7 +27,7 @@ public RedirectContext(
         /// <summary>
         /// Gets or sets the <see cref="OpenIdConnectMessage"/>.
         /// </summary>
-        public OpenIdConnectMessage ProtocolMessage { get; set; }
+        public OpenIdConnectMessage ProtocolMessage { get; set; } = default!;
 
         /// <summary>
         /// If true, will skip any default logic for this redirect.
diff --git a/src/Security/Authentication/OpenIdConnect/src/Events/RemoteSignoutContext.cs b/src/Security/Authentication/OpenIdConnect/src/Events/RemoteSignoutContext.cs
index 8bb18ae8160a..49cc7aa82aa8 100644
--- a/src/Security/Authentication/OpenIdConnect/src/Events/RemoteSignoutContext.cs
+++ b/src/Security/Authentication/OpenIdConnect/src/Events/RemoteSignoutContext.cs
@@ -15,13 +15,13 @@ public class RemoteSignOutContext : RemoteAuthenticationContext<OpenIdConnectOpt
         /// Initializes a new instance of <see cref="RemoteSignOutContext"/>.
         /// </summary>
         /// <inheritdoc />
-        public RemoteSignOutContext(HttpContext context, AuthenticationScheme scheme, OpenIdConnectOptions options, OpenIdConnectMessage message)
+        public RemoteSignOutContext(HttpContext context, AuthenticationScheme scheme, OpenIdConnectOptions options, OpenIdConnectMessage? message)
             : base(context, scheme, options, new AuthenticationProperties())
             => ProtocolMessage = message;
 
         /// <summary>
         /// Gets or sets the <see cref="OpenIdConnectMessage"/>.
         /// </summary>
-        public OpenIdConnectMessage ProtocolMessage { get; set; }
+        public OpenIdConnectMessage? ProtocolMessage { get; set; }
     }
 }
diff --git a/src/Security/Authentication/OpenIdConnect/src/Events/TokenResponseReceivedContext.cs b/src/Security/Authentication/OpenIdConnect/src/Events/TokenResponseReceivedContext.cs
index e2372f0b78e7..99df604acfe4 100644
--- a/src/Security/Authentication/OpenIdConnect/src/Events/TokenResponseReceivedContext.cs
+++ b/src/Security/Authentication/OpenIdConnect/src/Events/TokenResponseReceivedContext.cs
@@ -22,11 +22,11 @@ public TokenResponseReceivedContext(HttpContext context, AuthenticationScheme sc
         /// <summary>
         /// Gets or sets the <see cref="OpenIdConnectMessage"/>.
         /// </summary>
-        public OpenIdConnectMessage ProtocolMessage { get; set; }
+        public OpenIdConnectMessage ProtocolMessage { get; set; } = default!;
 
         /// <summary>
         /// Gets or sets the <see cref="OpenIdConnectMessage"/> that contains the tokens received after redeeming the code at the token endpoint.
         /// </summary>
-        public OpenIdConnectMessage TokenEndpointResponse { get; set; }
+        public OpenIdConnectMessage TokenEndpointResponse { get; set; } = default!;
     }
 }
diff --git a/src/Security/Authentication/OpenIdConnect/src/Events/TokenValidatedContext.cs b/src/Security/Authentication/OpenIdConnect/src/Events/TokenValidatedContext.cs
index 5b998d13b846..d3f8563c122f 100644
--- a/src/Security/Authentication/OpenIdConnect/src/Events/TokenValidatedContext.cs
+++ b/src/Security/Authentication/OpenIdConnect/src/Events/TokenValidatedContext.cs
@@ -24,21 +24,21 @@ public TokenValidatedContext(HttpContext context, AuthenticationScheme scheme, O
         /// <summary>
         /// Gets or sets the <see cref="OpenIdConnectMessage"/>.
         /// </summary>
-        public OpenIdConnectMessage ProtocolMessage { get; set; }
+        public OpenIdConnectMessage ProtocolMessage { get; set; } = default!;
 
         /// <summary>
         /// Gets or sets the validated security token.
         /// </summary>
-        public JwtSecurityToken SecurityToken { get; set; }
+        public JwtSecurityToken SecurityToken { get; set; } = default!;
 
         /// <summary>
         /// Gets or sets the token endpoint response.
         /// </summary>
-        public OpenIdConnectMessage TokenEndpointResponse { get; set; }
+        public OpenIdConnectMessage? TokenEndpointResponse { get; set; }
 
         /// <summary>
         /// Gets or sets the protocol nonce.
         /// </summary>
-        public string Nonce { get; set; }
+        public string? Nonce { get; set; }
     }
 }
diff --git a/src/Security/Authentication/OpenIdConnect/src/Events/UserInformationReceivedContext.cs b/src/Security/Authentication/OpenIdConnect/src/Events/UserInformationReceivedContext.cs
index bcd12bbc430c..6b6ce9714c9e 100644
--- a/src/Security/Authentication/OpenIdConnect/src/Events/UserInformationReceivedContext.cs
+++ b/src/Security/Authentication/OpenIdConnect/src/Events/UserInformationReceivedContext.cs
@@ -24,11 +24,11 @@ public UserInformationReceivedContext(HttpContext context, AuthenticationScheme
         /// <summary>
         /// Gets or sets the <see cref="OpenIdConnectMessage"/>.
         /// </summary>
-        public OpenIdConnectMessage ProtocolMessage { get; set; }
+        public OpenIdConnectMessage ProtocolMessage { get; set; } = default!;
 
         /// <summary>
         /// Gets or sets the user information payload.
         /// </summary>
-        public JsonDocument User { get; set; }
+        public JsonDocument User { get; set; } = default!;
     }
 }
diff --git a/src/Security/Authentication/OpenIdConnect/src/LoggingExtensions.cs b/src/Security/Authentication/OpenIdConnect/src/LoggingExtensions.cs
index d2ae62a5bdb9..2692942a495a 100644
--- a/src/Security/Authentication/OpenIdConnect/src/LoggingExtensions.cs
+++ b/src/Security/Authentication/OpenIdConnect/src/LoggingExtensions.cs
@@ -7,58 +7,58 @@ namespace Microsoft.Extensions.Logging
 {
     internal static class LoggingExtensions
     {
-        private static Action<ILogger, Exception> _redirectToIdentityProviderForSignOutHandledResponse;
-        private static Action<ILogger, Exception> _redirectToIdentityProviderHandledResponse;
-        private static Action<ILogger, Exception> _signOutCallbackRedirectHandledResponse;
-        private static Action<ILogger, Exception> _signOutCallbackRedirectSkipped;
-        private static Action<ILogger, Exception> _updatingConfiguration;
-        private static Action<ILogger, Exception> _receivedIdToken;
-        private static Action<ILogger, Exception> _redeemingCodeForTokens;
-        private static Action<ILogger, string, Exception> _enteringOpenIdAuthenticationHandlerHandleRemoteAuthenticateAsync;
-        private static Action<ILogger, string, Exception> _enteringOpenIdAuthenticationHandlerHandleUnauthorizedAsync;
-        private static Action<ILogger, string, Exception> _enteringOpenIdAuthenticationHandlerHandleSignOutAsync;
-        private static Action<ILogger, string, Exception> _messageReceived;
-        private static Action<ILogger, Exception> _messageReceivedContextHandledResponse;
-        private static Action<ILogger, Exception> _messageReceivedContextSkipped;
-        private static Action<ILogger, Exception> _authorizationCodeReceived;
-        private static Action<ILogger, Exception> _configurationManagerRequestRefreshCalled;
-        private static Action<ILogger, Exception> _tokenResponseReceived;
-        private static Action<ILogger, Exception> _tokenValidatedHandledResponse;
-        private static Action<ILogger, Exception> _tokenValidatedSkipped;
-        private static Action<ILogger, Exception> _authenticationFailedContextHandledResponse;
-        private static Action<ILogger, Exception> _authenticationFailedContextSkipped;
-        private static Action<ILogger, Exception> _authorizationCodeReceivedContextHandledResponse;
-        private static Action<ILogger, Exception> _authorizationCodeReceivedContextSkipped;
-        private static Action<ILogger, Exception> _tokenResponseReceivedHandledResponse;
-        private static Action<ILogger, Exception> _tokenResponseReceivedSkipped;
-        private static Action<ILogger, string, Exception> _userInformationReceived;
-        private static Action<ILogger, Exception> _userInformationReceivedHandledResponse;
-        private static Action<ILogger, Exception> _userInformationReceivedSkipped;
-        private static Action<ILogger, string, Exception> _invalidLogoutQueryStringRedirectUrl;
-        private static Action<ILogger, Exception> _nullOrEmptyAuthorizationResponseState;
-        private static Action<ILogger, Exception> _unableToReadAuthorizationResponseState;
-        private static Action<ILogger, string, string, string, Exception> _responseError;
-        private static Action<ILogger, string, string, string, int, Exception> _responseErrorWithStatusCode;
+        private static Action<ILogger, Exception?> _redirectToIdentityProviderForSignOutHandledResponse;
+        private static Action<ILogger, Exception?> _redirectToIdentityProviderHandledResponse;
+        private static Action<ILogger, Exception?> _signOutCallbackRedirectHandledResponse;
+        private static Action<ILogger, Exception?> _signOutCallbackRedirectSkipped;
+        private static Action<ILogger, Exception?> _updatingConfiguration;
+        private static Action<ILogger, Exception?> _receivedIdToken;
+        private static Action<ILogger, Exception?> _redeemingCodeForTokens;
+        private static Action<ILogger, string, Exception?> _enteringOpenIdAuthenticationHandlerHandleRemoteAuthenticateAsync;
+        private static Action<ILogger, string, Exception?> _enteringOpenIdAuthenticationHandlerHandleUnauthorizedAsync;
+        private static Action<ILogger, string, Exception?> _enteringOpenIdAuthenticationHandlerHandleSignOutAsync;
+        private static Action<ILogger, string, Exception?> _messageReceived;
+        private static Action<ILogger, Exception?> _messageReceivedContextHandledResponse;
+        private static Action<ILogger, Exception?> _messageReceivedContextSkipped;
+        private static Action<ILogger, Exception?> _authorizationCodeReceived;
+        private static Action<ILogger, Exception?> _configurationManagerRequestRefreshCalled;
+        private static Action<ILogger, Exception?> _tokenResponseReceived;
+        private static Action<ILogger, Exception?> _tokenValidatedHandledResponse;
+        private static Action<ILogger, Exception?> _tokenValidatedSkipped;
+        private static Action<ILogger, Exception?> _authenticationFailedContextHandledResponse;
+        private static Action<ILogger, Exception?> _authenticationFailedContextSkipped;
+        private static Action<ILogger, Exception?> _authorizationCodeReceivedContextHandledResponse;
+        private static Action<ILogger, Exception?> _authorizationCodeReceivedContextSkipped;
+        private static Action<ILogger, Exception?> _tokenResponseReceivedHandledResponse;
+        private static Action<ILogger, Exception?> _tokenResponseReceivedSkipped;
+        private static Action<ILogger, string, Exception?> _userInformationReceived;
+        private static Action<ILogger, Exception?> _userInformationReceivedHandledResponse;
+        private static Action<ILogger, Exception?> _userInformationReceivedSkipped;
+        private static Action<ILogger, string, Exception?> _invalidLogoutQueryStringRedirectUrl;
+        private static Action<ILogger, Exception?> _nullOrEmptyAuthorizationResponseState;
+        private static Action<ILogger, Exception?> _unableToReadAuthorizationResponseState;
+        private static Action<ILogger, string, string, string, Exception?> _responseError;
+        private static Action<ILogger, string, string, string, int, Exception?> _responseErrorWithStatusCode;
         private static Action<ILogger, Exception> _exceptionProcessingMessage;
-        private static Action<ILogger, Exception> _accessTokenNotAvailable;
-        private static Action<ILogger, Exception> _retrievingClaims;
-        private static Action<ILogger, Exception> _userInfoEndpointNotSet;
+        private static Action<ILogger, Exception?> _accessTokenNotAvailable;
+        private static Action<ILogger, Exception?> _retrievingClaims;
+        private static Action<ILogger, Exception?> _userInfoEndpointNotSet;
         private static Action<ILogger, Exception> _unableToProtectNonceCookie;
-        private static Action<ILogger, string, Exception> _invalidAuthenticationRequestUrl;
-        private static Action<ILogger, string, Exception> _unableToReadIdToken;
-        private static Action<ILogger, string, Exception> _invalidSecurityTokenType;
-        private static Action<ILogger, string, Exception> _unableToValidateIdToken;
-        private static Action<ILogger, string, Exception> _postAuthenticationLocalRedirect;
-        private static Action<ILogger, string, Exception> _postSignOutRedirect;
-        private static Action<ILogger, Exception> _remoteSignOutHandledResponse;
-        private static Action<ILogger, Exception> _remoteSignOutSkipped;
-        private static Action<ILogger, Exception> _remoteSignOut;
-        private static Action<ILogger, Exception> _remoteSignOutSessionIdMissing;
-        private static Action<ILogger, Exception> _remoteSignOutSessionIdInvalid;
-        private static Action<ILogger, string, Exception> _authenticationSchemeSignedOut;
-        private static Action<ILogger, string, string, Exception> _handleChallenge;
-        private static Action<ILogger, Exception> _remoteSignOutIssuerMissing;
-        private static Action<ILogger, Exception> _remoteSignOutIssuerInvalid;
+        private static Action<ILogger, string, Exception?> _invalidAuthenticationRequestUrl;
+        private static Action<ILogger, string, Exception?> _unableToReadIdToken;
+        private static Action<ILogger, string?, Exception?> _invalidSecurityTokenType;
+        private static Action<ILogger, string, Exception?> _unableToValidateIdToken;
+        private static Action<ILogger, string, Exception?> _postAuthenticationLocalRedirect;
+        private static Action<ILogger, string, Exception?> _postSignOutRedirect;
+        private static Action<ILogger, Exception?> _remoteSignOutHandledResponse;
+        private static Action<ILogger, Exception?> _remoteSignOutSkipped;
+        private static Action<ILogger, Exception?> _remoteSignOut;
+        private static Action<ILogger, Exception?> _remoteSignOutSessionIdMissing;
+        private static Action<ILogger, Exception?> _remoteSignOutSessionIdInvalid;
+        private static Action<ILogger, string, Exception?> _authenticationSchemeSignedOut;
+        private static Action<ILogger, string, string, Exception?> _handleChallenge;
+        private static Action<ILogger, Exception?> _remoteSignOutIssuerMissing;
+        private static Action<ILogger, Exception?> _remoteSignOutIssuerInvalid;
 
         static LoggingExtensions()
         {
@@ -211,7 +211,7 @@ static LoggingExtensions()
                 eventId: new EventId(39, "AuthenticationFailedContextSkipped"),
                 logLevel: LogLevel.Debug,
                 formatString: "AuthenticationFailedContext.Skipped");
-            _invalidSecurityTokenType = LoggerMessage.Define<string>(
+            _invalidSecurityTokenType = LoggerMessage.Define<string?>(
                 eventId: new EventId(40, "InvalidSecurityTokenType"),
                 logLevel: LogLevel.Error,
                 formatString: "The Validated Security Token must be of type JwtSecurityToken, but instead its type is: '{SecurityTokenType}'");
@@ -454,7 +454,7 @@ public static void UnableToReadIdToken(this ILogger logger, string idToken)
             _unableToReadIdToken(logger, idToken, null);
         }
 
-        public static void InvalidSecurityTokenType(this ILogger logger, string tokenType)
+        public static void InvalidSecurityTokenType(this ILogger logger, string? tokenType)
         {
             _invalidSecurityTokenType(logger, tokenType, null);
         }
diff --git a/src/Security/Authentication/OpenIdConnect/src/Microsoft.AspNetCore.Authentication.OpenIdConnect.csproj b/src/Security/Authentication/OpenIdConnect/src/Microsoft.AspNetCore.Authentication.OpenIdConnect.csproj
index e6eb6574ce6c..b51566495afe 100644
--- a/src/Security/Authentication/OpenIdConnect/src/Microsoft.AspNetCore.Authentication.OpenIdConnect.csproj
+++ b/src/Security/Authentication/OpenIdConnect/src/Microsoft.AspNetCore.Authentication.OpenIdConnect.csproj
@@ -5,6 +5,7 @@
     <TargetFramework>$(DefaultNetCoreTargetFramework)</TargetFramework>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageTags>aspnetcore;authentication;security</PackageTags>
+    <Nullable>enable</Nullable>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectChallengeProperties.cs b/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectChallengeProperties.cs
index 4da0cb37bc99..0638b34ecd11 100644
--- a/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectChallengeProperties.cs
+++ b/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectChallengeProperties.cs
@@ -30,7 +30,7 @@ public OpenIdConnectChallengeProperties()
         /// Initializes a new instance of <see cref="OpenIdConnectChallengeProperties"/>.
         /// </summary>
         /// <inheritdoc />
-        public OpenIdConnectChallengeProperties(IDictionary<string, string> items)
+        public OpenIdConnectChallengeProperties(IDictionary<string, string?> items)
             : base(items)
         { }
 
@@ -38,7 +38,7 @@ public OpenIdConnectChallengeProperties(IDictionary<string, string> items)
         /// Initializes a new instance of <see cref="OpenIdConnectChallengeProperties"/>.
         /// </summary>
         /// <inheritdoc />
-        public OpenIdConnectChallengeProperties(IDictionary<string, string> items, IDictionary<string, object> parameters)
+        public OpenIdConnectChallengeProperties(IDictionary<string, string?> items, IDictionary<string, object?> parameters)
             : base(items, parameters)
         { }
 
@@ -54,7 +54,7 @@ public TimeSpan? MaxAge
         /// <summary>
         /// The "prompt" parameter value being used for a challenge request.
         /// </summary>
-        public string Prompt
+        public string? Prompt
         {
             get => GetParameter<string>(PromptKey);
             set => SetParameter(PromptKey, value);
diff --git a/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs b/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs
index a6bb4406d18f..15a7bdaa05ab 100644
--- a/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs
+++ b/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs
@@ -34,7 +34,7 @@ public class OpenIdConnectHandler : RemoteAuthenticationHandler<OpenIdConnectOpt
         private const string NonceProperty = "N";
         private const string HeaderValueEpocDate = "Thu, 01 Jan 1970 00:00:00 GMT";
 
-        private OpenIdConnectConfiguration _configuration;
+        private OpenIdConnectConfiguration? _configuration;
 
         /// <summary>
         /// Gets the <see cref="HttpClient"/> used to communicate with the remote identity provider.
@@ -91,7 +91,7 @@ public override Task<bool> HandleRequestAsync()
         /// <inheritdoc />
         protected virtual async Task<bool> HandleRemoteSignOutAsync()
         {
-            OpenIdConnectMessage message = null;
+            OpenIdConnectMessage? message = null;
 
             if (HttpMethods.IsGet(Request.Method))
             {
@@ -186,7 +186,7 @@ protected virtual async Task<bool> HandleRemoteSignOutAsync()
         /// Redirect user to the identity provider for sign out
         /// </summary>
         /// <returns>A task executing the sign out procedure</returns>
-        public async virtual Task SignOutAsync(AuthenticationProperties properties)
+        public async virtual Task SignOutAsync(AuthenticationProperties? properties)
         {
             var target = ResolveTarget(Options.ForwardSignOut);
             if (target != null)
@@ -197,7 +197,7 @@ public async virtual Task SignOutAsync(AuthenticationProperties properties)
 
             properties ??= new AuthenticationProperties();
 
-            Logger.EnteringOpenIdAuthenticationHandlerHandleSignOutAsync(GetType().FullName);
+            Logger.EnteringOpenIdAuthenticationHandlerHandleSignOutAsync(GetType().FullName!);
 
             if (_configuration == null && Options.ConfigurationManager != null)
             {
@@ -293,7 +293,7 @@ public async virtual Task SignOutAsync(AuthenticationProperties properties)
         protected async virtual Task<bool> HandleSignOutCallbackAsync()
         {
             var message = new OpenIdConnectMessage(Request.Query.Select(pair => new KeyValuePair<string, string[]>(pair.Key, pair.Value)));
-            AuthenticationProperties properties = null;
+            AuthenticationProperties? properties = null;
             if (!string.IsNullOrEmpty(message.State))
             {
                 properties = Options.StateDataFormat.Unprotect(message.State);
@@ -354,7 +354,7 @@ protected override async Task HandleChallengeAsync(AuthenticationProperties prop
 
         private async Task HandleChallengeAsyncInternal(AuthenticationProperties properties)
         {
-            Logger.EnteringOpenIdAuthenticationHandlerHandleUnauthorizedAsync(GetType().FullName);
+            Logger.EnteringOpenIdAuthenticationHandlerHandleUnauthorizedAsync(GetType().FullName!);
 
             // order for local RedirectUri
             // 1. challenge.Properties.RedirectUri
@@ -492,9 +492,9 @@ private async Task HandleChallengeAsyncInternal(AuthenticationProperties propert
         /// <returns>An <see cref="HandleRequestResult"/>.</returns>
         protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync()
         {
-            Logger.EnteringOpenIdAuthenticationHandlerHandleRemoteAuthenticateAsync(GetType().FullName);
+            Logger.EnteringOpenIdAuthenticationHandlerHandleRemoteAuthenticateAsync(GetType().FullName!);
 
-            OpenIdConnectMessage authorizationResponse = null;
+            OpenIdConnectMessage? authorizationResponse = null;
 
             if (HttpMethods.IsGet(Request.Method))
             {
@@ -535,7 +535,7 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
                 return HandleRequestResult.Fail("No message.");
             }
 
-            AuthenticationProperties properties = null;
+            AuthenticationProperties? properties = null;
             try
             {
                 properties = ReadPropertiesAndClearState(authorizationResponse);
@@ -611,9 +611,9 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
 
                 PopulateSessionProperties(authorizationResponse, properties);
 
-                ClaimsPrincipal user = null;
-                JwtSecurityToken jwt = null;
-                string nonce = null;
+                ClaimsPrincipal? user = null;
+                JwtSecurityToken? jwt = null;
+                string? nonce = null;
                 var validationParameters = Options.TokenValidationParameters.Clone();
 
                 // Hybrid or Implicit flow
@@ -648,30 +648,30 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
                     Nonce = nonce
                 });
 
-                OpenIdConnectMessage tokenEndpointResponse = null;
+                OpenIdConnectMessage? tokenEndpointResponse = null;
 
                 // Authorization Code or Hybrid flow
                 if (!string.IsNullOrEmpty(authorizationResponse.Code))
                 {
-                    var authorizationCodeReceivedContext = await RunAuthorizationCodeReceivedEventAsync(authorizationResponse, user, properties, jwt);
+                    var authorizationCodeReceivedContext = await RunAuthorizationCodeReceivedEventAsync(authorizationResponse, user, properties!, jwt);
                     if (authorizationCodeReceivedContext.Result != null)
                     {
                         return authorizationCodeReceivedContext.Result;
                     }
                     authorizationResponse = authorizationCodeReceivedContext.ProtocolMessage;
-                    user = authorizationCodeReceivedContext.Principal;
-                    properties = authorizationCodeReceivedContext.Properties;
+                    user = authorizationCodeReceivedContext.Principal!;
+                    properties = authorizationCodeReceivedContext.Properties!;
                     var tokenEndpointRequest = authorizationCodeReceivedContext.TokenEndpointRequest;
                     // If the developer redeemed the code themselves...
                     tokenEndpointResponse = authorizationCodeReceivedContext.TokenEndpointResponse;
-                    jwt = authorizationCodeReceivedContext.JwtSecurityToken;
+                    jwt = authorizationCodeReceivedContext.JwtSecurityToken!;
 
                     if (!authorizationCodeReceivedContext.HandledCodeRedemption)
                     {
-                        tokenEndpointResponse = await RedeemAuthorizationCodeAsync(tokenEndpointRequest);
+                        tokenEndpointResponse = await RedeemAuthorizationCodeAsync(tokenEndpointRequest!);
                     }
 
-                    var tokenResponseReceivedContext = await RunTokenResponseReceivedEventAsync(authorizationResponse, tokenEndpointResponse, user, properties);
+                    var tokenResponseReceivedContext = await RunTokenResponseReceivedEventAsync(authorizationResponse, tokenEndpointResponse!, user, properties);
                     if (tokenResponseReceivedContext.Result != null)
                     {
                         return tokenResponseReceivedContext.Result;
@@ -680,7 +680,7 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
                     authorizationResponse = tokenResponseReceivedContext.ProtocolMessage;
                     tokenEndpointResponse = tokenResponseReceivedContext.TokenEndpointResponse;
                     user = tokenResponseReceivedContext.Principal;
-                    properties = tokenResponseReceivedContext.Properties;
+                    properties = tokenResponseReceivedContext.Properties!;
 
                     // no need to validate signature when token is received using "code flow" as per spec
                     // [http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation].
@@ -706,7 +706,7 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
                         }
                         authorizationResponse = tokenValidatedContext.ProtocolMessage;
                         tokenEndpointResponse = tokenValidatedContext.TokenEndpointResponse;
-                        user = tokenValidatedContext.Principal;
+                        user = tokenValidatedContext.Principal!;
                         properties = tokenValidatedContext.Properties;
                         jwt = tokenValidatedContext.SecurityToken;
                         nonce = tokenValidatedContext.Nonce;
@@ -736,18 +736,18 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
 
                 if (Options.SaveTokens)
                 {
-                    SaveTokens(properties, tokenEndpointResponse ?? authorizationResponse);
+                    SaveTokens(properties!, tokenEndpointResponse ?? authorizationResponse);
                 }
 
                 if (Options.GetClaimsFromUserInfoEndpoint)
                 {
-                    return await GetUserInformationAsync(tokenEndpointResponse ?? authorizationResponse, jwt, user, properties);
+                    return await GetUserInformationAsync(tokenEndpointResponse ?? authorizationResponse, jwt!, user!, properties!);
                 }
                 else
                 {
                     using (var payload = JsonDocument.Parse("{}"))
                     {
-                        var identity = (ClaimsIdentity)user.Identity;
+                        var identity = (ClaimsIdentity)user!.Identity!;
                         foreach (var action in Options.ClaimActions)
                         {
                             action.Run(payload.RootElement, identity, ClaimsIssuer);
@@ -781,9 +781,9 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
             }
         }
 
-        private AuthenticationProperties ReadPropertiesAndClearState(OpenIdConnectMessage message)
+        private AuthenticationProperties? ReadPropertiesAndClearState(OpenIdConnectMessage message)
         {
-            AuthenticationProperties properties = null;
+            AuthenticationProperties? properties = null;
             if (!string.IsNullOrEmpty(message.State))
             {
                 properties = Options.StateDataFormat.Unprotect(message.State);
@@ -805,7 +805,7 @@ private void PopulateSessionProperties(OpenIdConnectMessage message, Authenticat
                 properties.Items[OpenIdConnectSessionProperties.SessionState] = message.SessionState;
             }
 
-            if (!string.IsNullOrEmpty(_configuration.CheckSessionIframe))
+            if (!string.IsNullOrEmpty(_configuration?.CheckSessionIframe))
             {
                 properties.Items[OpenIdConnectSessionProperties.CheckSessionIFrame] = _configuration.CheckSessionIframe;
             }
@@ -820,7 +820,7 @@ protected virtual async Task<OpenIdConnectMessage> RedeemAuthorizationCodeAsync(
         {
             Logger.RedeemingCodeForTokens();
 
-            var requestMessage = new HttpRequestMessage(HttpMethod.Post, tokenEndpointRequest.TokenEndpoint ?? _configuration.TokenEndpoint);
+            var requestMessage = new HttpRequestMessage(HttpMethod.Post, tokenEndpointRequest.TokenEndpoint ?? _configuration?.TokenEndpoint);
             requestMessage.Content = new FormUrlEncodedContent(tokenEndpointRequest.Parameters);
             requestMessage.Version = Backchannel.DefaultRequestVersion;
             var responseMessage = await Backchannel.SendAsync(requestMessage, Context.RequestAborted);
@@ -892,18 +892,18 @@ protected virtual async Task<HandleRequestResult> GetUserInformationAsync(
 
             JsonDocument user;
             var contentType = responseMessage.Content.Headers.ContentType;
-            if (contentType.MediaType.Equals("application/json", StringComparison.OrdinalIgnoreCase))
+            if (contentType?.MediaType?.Equals("application/json", StringComparison.OrdinalIgnoreCase) ?? false)
             {
                 user = JsonDocument.Parse(userInfoResponse);
             }
-            else if (contentType.MediaType.Equals("application/jwt", StringComparison.OrdinalIgnoreCase))
+            else if (contentType?.MediaType?.Equals("application/jwt", StringComparison.OrdinalIgnoreCase) ?? false)
             {
                 var userInfoEndpointJwt = new JwtSecurityToken(userInfoResponse);
                 user = JsonDocument.Parse(userInfoEndpointJwt.Payload.SerializeToJson());
             }
             else
             {
-                return HandleRequestResult.Fail("Unknown response type: " + contentType.MediaType, properties);
+                return HandleRequestResult.Fail("Unknown response type: " + contentType?.MediaType, properties);
             }
 
             using (user)
@@ -913,8 +913,8 @@ protected virtual async Task<HandleRequestResult> GetUserInformationAsync(
                 {
                     return userInformationReceivedContext.Result;
                 }
-                principal = userInformationReceivedContext.Principal;
-                properties = userInformationReceivedContext.Properties;
+                principal = userInformationReceivedContext.Principal!;
+                properties = userInformationReceivedContext.Properties!;
                 using (var updatedUser = userInformationReceivedContext.User)
                 {
                     Options.ProtocolValidator.ValidateUserInfoResponse(new OpenIdConnectProtocolValidationContext()
@@ -923,7 +923,7 @@ protected virtual async Task<HandleRequestResult> GetUserInformationAsync(
                         ValidatedIdToken = jwt,
                     });
 
-                    var identity = (ClaimsIdentity)principal.Identity;
+                    var identity = (ClaimsIdentity)principal.Identity!;
 
                     foreach (var action in Options.ClaimActions)
                     {
@@ -1006,7 +1006,7 @@ private void WriteNonceCookie(string nonce)
         /// <returns>echos 'nonce' if a cookie is found that matches, null otherwise.</returns>
         /// <remarks>Examine <see cref="IRequestCookieCollection.Keys"/> of <see cref="HttpRequest.Cookies"/> that start with the prefix: 'OpenIdConnectAuthenticationDefaults.Nonce'.
         /// <see cref="M:ISecureDataFormat{TData}.Unprotect"/> of <see cref="OpenIdConnectOptions.StringDataFormat"/> is used to obtain the actual 'nonce'. If the nonce is found, then <see cref="M:IResponseCookies.Delete"/> of <see cref="HttpResponse.Cookies"/> is called.</remarks>
-        private string ReadNonceCookie(string nonce)
+        private string? ReadNonceCookie(string nonce)
         {
             if (nonce == null)
             {
@@ -1015,7 +1015,7 @@ private string ReadNonceCookie(string nonce)
 
             foreach (var nonceKey in Request.Cookies.Keys)
             {
-                if (nonceKey.StartsWith(Options.NonceCookie.Name, StringComparison.Ordinal))
+                if (Options.NonceCookie.Name is string name && nonceKey.StartsWith(name, StringComparison.Ordinal))
                 {
                     try
                     {
@@ -1037,7 +1037,7 @@ private string ReadNonceCookie(string nonce)
             return null;
         }
 
-        private async Task<MessageReceivedContext> RunMessageReceivedEventAsync(OpenIdConnectMessage message, AuthenticationProperties properties)
+        private async Task<MessageReceivedContext> RunMessageReceivedEventAsync(OpenIdConnectMessage message, AuthenticationProperties? properties)
         {
             Logger.MessageReceived(message.BuildRedirectUrl());
             var context = new MessageReceivedContext(Context, Scheme, Options, properties)
@@ -1061,7 +1061,7 @@ private async Task<MessageReceivedContext> RunMessageReceivedEventAsync(OpenIdCo
             return context;
         }
 
-        private async Task<TokenValidatedContext> RunTokenValidatedEventAsync(OpenIdConnectMessage authorizationResponse, OpenIdConnectMessage tokenEndpointResponse, ClaimsPrincipal user, AuthenticationProperties properties, JwtSecurityToken jwt, string nonce)
+        private async Task<TokenValidatedContext> RunTokenValidatedEventAsync(OpenIdConnectMessage authorizationResponse, OpenIdConnectMessage? tokenEndpointResponse, ClaimsPrincipal user, AuthenticationProperties properties, JwtSecurityToken jwt, string? nonce)
         {
             var context = new TokenValidatedContext(Context, Scheme, Options, user, properties)
             {
@@ -1087,7 +1087,7 @@ private async Task<TokenValidatedContext> RunTokenValidatedEventAsync(OpenIdConn
             return context;
         }
 
-        private async Task<AuthorizationCodeReceivedContext> RunAuthorizationCodeReceivedEventAsync(OpenIdConnectMessage authorizationResponse, ClaimsPrincipal user, AuthenticationProperties properties, JwtSecurityToken jwt)
+        private async Task<AuthorizationCodeReceivedContext> RunAuthorizationCodeReceivedEventAsync(OpenIdConnectMessage authorizationResponse, ClaimsPrincipal? user, AuthenticationProperties properties, JwtSecurityToken? jwt)
         {
             Logger.AuthorizationCodeReceived();
 
@@ -1164,7 +1164,7 @@ private async Task<TokenResponseReceivedContext> RunTokenResponseReceivedEventAs
 
         private async Task<UserInformationReceivedContext> RunUserInformationReceivedEventAsync(ClaimsPrincipal principal, AuthenticationProperties properties, OpenIdConnectMessage message, JsonDocument user)
         {
-            Logger.UserInformationReceived(user.ToString());
+            Logger.UserInformationReceived(user.ToString()!);
 
             var context = new UserInformationReceivedContext(Context, Scheme, Options, principal, properties)
             {
@@ -1231,8 +1231,11 @@ private ClaimsPrincipal ValidateToken(string idToken, AuthenticationProperties p
             }
 
             var principal = Options.SecurityTokenValidator.ValidateToken(idToken, validationParameters, out SecurityToken validatedToken);
-            jwt = validatedToken as JwtSecurityToken;
-            if (jwt == null)
+            if (validatedToken is JwtSecurityToken validatedJwt)
+            {
+                jwt = validatedJwt;
+            }
+            else
             {
                 Logger.InvalidSecurityTokenType(validatedToken?.GetType().ToString());
                 throw new SecurityTokenException(string.Format(CultureInfo.InvariantCulture, Resources.ValidatedSecurityTokenNotJwt, validatedToken?.GetType()));
@@ -1280,7 +1283,7 @@ private string BuildRedirectUriIfRelative(string uri)
             return BuildRedirectUri(uri);
         }
 
-        private OpenIdConnectProtocolException CreateOpenIdConnectProtocolException(OpenIdConnectMessage message, HttpResponseMessage response)
+        private OpenIdConnectProtocolException CreateOpenIdConnectProtocolException(OpenIdConnectMessage message, HttpResponseMessage? response)
         {
             var description = message.ErrorDescription ?? "error_description is null";
             var errorUri = message.ErrorUri ?? "error_uri is null";
diff --git a/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectOptions.cs b/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectOptions.cs
index be344d047575..23596e722b0e 100644
--- a/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectOptions.cs
+++ b/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectOptions.cs
@@ -109,29 +109,29 @@ public override void Validate()
         /// <summary>
         /// Gets or sets the Authority to use when making OpenIdConnect calls.
         /// </summary>
-        public string Authority { get; set; }
+        public string? Authority { get; set; }
 
         /// <summary>
         /// Gets or sets the 'client_id'.
         /// </summary>
-        public string ClientId { get; set; }
+        public string? ClientId { get; set; }
 
         /// <summary>
         /// Gets or sets the 'client_secret'.
         /// </summary>
-        public string ClientSecret { get; set; }
+        public string? ClientSecret { get; set; }
 
         /// <summary>
         /// Configuration provided directly by the developer. If provided, then MetadataAddress and the Backchannel properties
         /// will not be used. This information should not be updated during request processing.
         /// </summary>
-        public OpenIdConnectConfiguration Configuration { get; set; }
+        public OpenIdConnectConfiguration? Configuration { get; set; }
 
         /// <summary>
         /// Responsible for retrieving, caching, and refreshing the configuration from metadata.
         /// If not provided, then one will be created using the MetadataAddress and Backchannel properties.
         /// </summary>
-        public IConfigurationManager<OpenIdConnectConfiguration> ConfigurationManager { get; set; }
+        public IConfigurationManager<OpenIdConnectConfiguration>? ConfigurationManager { get; set; }
 
         /// <summary>
         /// Boolean to set whether the handler should go to user info endpoint to retrieve additional claims or not after creating an identity from id_token received from token endpoint.
@@ -153,7 +153,7 @@ public override void Validate()
         /// <summary>
         /// Gets or sets the discovery endpoint for obtaining metadata
         /// </summary>
-        public string MetadataAddress { get; set; }
+        public string? MetadataAddress { get; set; }
 
         /// <summary>
         /// Gets or sets the <see cref="OpenIdConnectEvents"/> to notify when processing OpenIdConnect messages.
@@ -209,7 +209,7 @@ public override void Validate()
         /// <summary>
         /// Gets or sets the 'resource'.
         /// </summary>
-        public string Resource { get; set; }
+        public string? Resource { get; set; }
 
         /// <summary>
         /// Gets or sets the 'response_mode'.
@@ -224,7 +224,7 @@ public override void Validate()
         /// <summary>
         /// Gets or sets the 'prompt'.
         /// </summary>
-        public string Prompt { get; set; }
+        public string? Prompt { get; set; }
 
         /// <summary>
         /// Gets the list of permissions to request.
@@ -240,17 +240,17 @@ public override void Validate()
         /// The Authentication Scheme to use with SignOut on the SignOutPath. SignInScheme will be used if this
         /// is not set.
         /// </summary>
-        public string SignOutScheme { get; set; }
+        public string? SignOutScheme { get; set; }
 
         /// <summary>
         /// Gets or sets the type used to secure data handled by the handler.
         /// </summary>
-        public ISecureDataFormat<AuthenticationProperties> StateDataFormat { get; set; }
+        public ISecureDataFormat<AuthenticationProperties> StateDataFormat { get; set; } = default!;
 
         /// <summary>
         /// Gets or sets the type used to secure strings used by the handler.
         /// </summary>
-        public ISecureDataFormat<string> StringDataFormat { get; set; }
+        public ISecureDataFormat<string> StringDataFormat { get; set; } = default!;
 
         /// <summary>
         /// Gets or sets the <see cref="ISecurityTokenValidator"/> used to validate identity tokens.
diff --git a/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectPostConfigureOptions.cs b/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectPostConfigureOptions.cs
index 2425c8361491..5ab4f37014f4 100644
--- a/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectPostConfigureOptions.cs
+++ b/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectPostConfigureOptions.cs
@@ -44,15 +44,15 @@ public void PostConfigure(string name, OpenIdConnectOptions options)
             if (options.StateDataFormat == null)
             {
                 var dataProtector = options.DataProtectionProvider.CreateProtector(
-                    typeof(OpenIdConnectHandler).FullName, name, "v1");
+                    typeof(OpenIdConnectHandler).FullName!, name, "v1");
                 options.StateDataFormat = new PropertiesDataFormat(dataProtector);
             }
 
             if (options.StringDataFormat == null)
             {
                 var dataProtector = options.DataProtectionProvider.CreateProtector(
-                    typeof(OpenIdConnectHandler).FullName,
-                    typeof(string).FullName,
+                    typeof(OpenIdConnectHandler).FullName!,
+                    typeof(string).FullName!,
                     name,
                     "v1");
 
@@ -91,7 +91,7 @@ public void PostConfigure(string name, OpenIdConnectOptions options)
                         options.MetadataAddress += ".well-known/openid-configuration";
                     }
 
-                    if (options.RequireHttpsMetadata && !options.MetadataAddress.StartsWith("https://", StringComparison.OrdinalIgnoreCase))
+                    if (options.RequireHttpsMetadata && !(options.MetadataAddress?.StartsWith("https://", StringComparison.OrdinalIgnoreCase) ?? false))
                     {
                         throw new InvalidOperationException("The MetadataAddress or Authority must use HTTPS unless disabled for development by setting RequireHttpsMetadata=false.");
                     }
diff --git a/src/Security/Authentication/OpenIdConnect/src/PublicAPI.Unshipped.txt b/src/Security/Authentication/OpenIdConnect/src/PublicAPI.Unshipped.txt
index 7dc5c58110bf..b1c65c7419b2 100644
--- a/src/Security/Authentication/OpenIdConnect/src/PublicAPI.Unshipped.txt
+++ b/src/Security/Authentication/OpenIdConnect/src/PublicAPI.Unshipped.txt
@@ -1 +1,154 @@
 #nullable enable
+*REMOVED*~Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.ConfigurationManager.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.AuthenticationFailedContext.AuthenticationFailedContext(Microsoft.AspNetCore.Http.HttpContext! context, Microsoft.AspNetCore.Authentication.AuthenticationScheme! scheme, Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions! options) -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.AuthenticationFailedContext.Exception.get -> System.Exception!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.AuthenticationFailedContext.Exception.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.AuthenticationFailedContext.ProtocolMessage.get -> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.AuthenticationFailedContext.ProtocolMessage.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.AuthorizationCodeReceivedContext.AuthorizationCodeReceivedContext(Microsoft.AspNetCore.Http.HttpContext! context, Microsoft.AspNetCore.Authentication.AuthenticationScheme! scheme, Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions! options, Microsoft.AspNetCore.Authentication.AuthenticationProperties! properties) -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.AuthorizationCodeReceivedContext.Backchannel.get -> System.Net.Http.HttpClient!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.AuthorizationCodeReceivedContext.HandleCodeRedemption(Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage! tokenEndpointResponse) -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.AuthorizationCodeReceivedContext.HandleCodeRedemption(string! accessToken, string! idToken) -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.AuthorizationCodeReceivedContext.JwtSecurityToken.get -> System.IdentityModel.Tokens.Jwt.JwtSecurityToken?
+Microsoft.AspNetCore.Authentication.OpenIdConnect.AuthorizationCodeReceivedContext.JwtSecurityToken.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.AuthorizationCodeReceivedContext.ProtocolMessage.get -> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.AuthorizationCodeReceivedContext.ProtocolMessage.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.AuthorizationCodeReceivedContext.TokenEndpointRequest.get -> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage?
+Microsoft.AspNetCore.Authentication.OpenIdConnect.AuthorizationCodeReceivedContext.TokenEndpointRequest.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.AuthorizationCodeReceivedContext.TokenEndpointResponse.get -> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage?
+Microsoft.AspNetCore.Authentication.OpenIdConnect.AuthorizationCodeReceivedContext.TokenEndpointResponse.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.Claims.UniqueJsonKeyClaimAction.UniqueJsonKeyClaimAction(string! claimType, string! valueType, string! jsonKey) -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.MessageReceivedContext.MessageReceivedContext(Microsoft.AspNetCore.Http.HttpContext! context, Microsoft.AspNetCore.Authentication.AuthenticationScheme! scheme, Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions! options, Microsoft.AspNetCore.Authentication.AuthenticationProperties? properties) -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.MessageReceivedContext.ProtocolMessage.get -> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.MessageReceivedContext.ProtocolMessage.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.MessageReceivedContext.Token.get -> string?
+Microsoft.AspNetCore.Authentication.OpenIdConnect.MessageReceivedContext.Token.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectChallengeProperties.OpenIdConnectChallengeProperties(System.Collections.Generic.IDictionary<string!, string?>! items) -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectChallengeProperties.OpenIdConnectChallengeProperties(System.Collections.Generic.IDictionary<string!, string?>! items, System.Collections.Generic.IDictionary<string!, object?>! parameters) -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectChallengeProperties.Prompt.get -> string?
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectChallengeProperties.Prompt.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.OnAuthenticationFailed.get -> System.Func<Microsoft.AspNetCore.Authentication.OpenIdConnect.AuthenticationFailedContext!, System.Threading.Tasks.Task!>!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.OnAuthenticationFailed.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.OnAuthorizationCodeReceived.get -> System.Func<Microsoft.AspNetCore.Authentication.OpenIdConnect.AuthorizationCodeReceivedContext!, System.Threading.Tasks.Task!>!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.OnAuthorizationCodeReceived.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.OnMessageReceived.get -> System.Func<Microsoft.AspNetCore.Authentication.OpenIdConnect.MessageReceivedContext!, System.Threading.Tasks.Task!>!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.OnMessageReceived.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.OnRedirectToIdentityProvider.get -> System.Func<Microsoft.AspNetCore.Authentication.OpenIdConnect.RedirectContext!, System.Threading.Tasks.Task!>!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.OnRedirectToIdentityProvider.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.OnRedirectToIdentityProviderForSignOut.get -> System.Func<Microsoft.AspNetCore.Authentication.OpenIdConnect.RedirectContext!, System.Threading.Tasks.Task!>!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.OnRedirectToIdentityProviderForSignOut.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.OnRemoteSignOut.get -> System.Func<Microsoft.AspNetCore.Authentication.OpenIdConnect.RemoteSignOutContext!, System.Threading.Tasks.Task!>!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.OnRemoteSignOut.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.OnSignedOutCallbackRedirect.get -> System.Func<Microsoft.AspNetCore.Authentication.OpenIdConnect.RemoteSignOutContext!, System.Threading.Tasks.Task!>!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.OnSignedOutCallbackRedirect.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.OnTokenResponseReceived.get -> System.Func<Microsoft.AspNetCore.Authentication.OpenIdConnect.TokenResponseReceivedContext!, System.Threading.Tasks.Task!>!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.OnTokenResponseReceived.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.OnTokenValidated.get -> System.Func<Microsoft.AspNetCore.Authentication.OpenIdConnect.TokenValidatedContext!, System.Threading.Tasks.Task!>!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.OnTokenValidated.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.OnUserInformationReceived.get -> System.Func<Microsoft.AspNetCore.Authentication.OpenIdConnect.UserInformationReceivedContext!, System.Threading.Tasks.Task!>!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.OnUserInformationReceived.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.Backchannel.get -> System.Net.Http.HttpClient!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.Events.get -> Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.Events.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HtmlEncoder.get -> System.Text.Encodings.Web.HtmlEncoder!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.OpenIdConnectHandler(Microsoft.Extensions.Options.IOptionsMonitor<Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions!>! options, Microsoft.Extensions.Logging.ILoggerFactory! logger, System.Text.Encodings.Web.HtmlEncoder! htmlEncoder, System.Text.Encodings.Web.UrlEncoder! encoder, Microsoft.AspNetCore.Authentication.ISystemClock! clock) -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.Authority.get -> string?
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.Authority.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.ClaimActions.get -> Microsoft.AspNetCore.Authentication.OAuth.Claims.ClaimActionCollection!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.ClientId.get -> string?
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.ClientId.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.ClientSecret.get -> string?
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.ClientSecret.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.Configuration.get -> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfiguration?
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.Configuration.set -> void
+~Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.ConfigurationManager.get -> Microsoft.IdentityModel.Protocols.IConfigurationManager<Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfiguration!>?
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.Events.get -> Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.Events.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.MetadataAddress.get -> string?
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.MetadataAddress.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.NonceCookie.get -> Microsoft.AspNetCore.Http.CookieBuilder!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.NonceCookie.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.Prompt.get -> string?
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.Prompt.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.ProtocolValidator.get -> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.ProtocolValidator.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.Resource.get -> string?
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.Resource.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.ResponseMode.get -> string!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.ResponseMode.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.ResponseType.get -> string!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.ResponseType.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.Scope.get -> System.Collections.Generic.ICollection<string!>!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.SecurityTokenValidator.get -> Microsoft.IdentityModel.Tokens.ISecurityTokenValidator!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.SecurityTokenValidator.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.SignOutScheme.get -> string?
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.SignOutScheme.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.SignedOutRedirectUri.get -> string!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.SignedOutRedirectUri.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.StateDataFormat.get -> Microsoft.AspNetCore.Authentication.ISecureDataFormat<Microsoft.AspNetCore.Authentication.AuthenticationProperties!>!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.StateDataFormat.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.StringDataFormat.get -> Microsoft.AspNetCore.Authentication.ISecureDataFormat<string!>!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.StringDataFormat.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.TokenValidationParameters.get -> Microsoft.IdentityModel.Tokens.TokenValidationParameters!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.TokenValidationParameters.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectPostConfigureOptions.OpenIdConnectPostConfigureOptions(Microsoft.AspNetCore.DataProtection.IDataProtectionProvider! dataProtection) -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectPostConfigureOptions.PostConfigure(string! name, Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions! options) -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.RedirectContext.ProtocolMessage.get -> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.RedirectContext.ProtocolMessage.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.RedirectContext.RedirectContext(Microsoft.AspNetCore.Http.HttpContext! context, Microsoft.AspNetCore.Authentication.AuthenticationScheme! scheme, Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions! options, Microsoft.AspNetCore.Authentication.AuthenticationProperties! properties) -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.RemoteSignOutContext.ProtocolMessage.get -> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage?
+Microsoft.AspNetCore.Authentication.OpenIdConnect.RemoteSignOutContext.ProtocolMessage.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.RemoteSignOutContext.RemoteSignOutContext(Microsoft.AspNetCore.Http.HttpContext! context, Microsoft.AspNetCore.Authentication.AuthenticationScheme! scheme, Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions! options, Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage? message) -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.TokenResponseReceivedContext.ProtocolMessage.get -> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.TokenResponseReceivedContext.ProtocolMessage.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.TokenResponseReceivedContext.TokenEndpointResponse.get -> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.TokenResponseReceivedContext.TokenEndpointResponse.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.TokenResponseReceivedContext.TokenResponseReceivedContext(Microsoft.AspNetCore.Http.HttpContext! context, Microsoft.AspNetCore.Authentication.AuthenticationScheme! scheme, Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions! options, System.Security.Claims.ClaimsPrincipal! user, Microsoft.AspNetCore.Authentication.AuthenticationProperties! properties) -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.TokenValidatedContext.Nonce.get -> string?
+Microsoft.AspNetCore.Authentication.OpenIdConnect.TokenValidatedContext.Nonce.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.TokenValidatedContext.ProtocolMessage.get -> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.TokenValidatedContext.ProtocolMessage.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.TokenValidatedContext.SecurityToken.get -> System.IdentityModel.Tokens.Jwt.JwtSecurityToken!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.TokenValidatedContext.SecurityToken.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.TokenValidatedContext.TokenEndpointResponse.get -> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage?
+Microsoft.AspNetCore.Authentication.OpenIdConnect.TokenValidatedContext.TokenEndpointResponse.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.TokenValidatedContext.TokenValidatedContext(Microsoft.AspNetCore.Http.HttpContext! context, Microsoft.AspNetCore.Authentication.AuthenticationScheme! scheme, Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions! options, System.Security.Claims.ClaimsPrincipal! principal, Microsoft.AspNetCore.Authentication.AuthenticationProperties! properties) -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.UserInformationReceivedContext.ProtocolMessage.get -> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.UserInformationReceivedContext.ProtocolMessage.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.UserInformationReceivedContext.User.get -> System.Text.Json.JsonDocument!
+Microsoft.AspNetCore.Authentication.OpenIdConnect.UserInformationReceivedContext.User.set -> void
+Microsoft.AspNetCore.Authentication.OpenIdConnect.UserInformationReceivedContext.UserInformationReceivedContext(Microsoft.AspNetCore.Http.HttpContext! context, Microsoft.AspNetCore.Authentication.AuthenticationScheme! scheme, Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions! options, System.Security.Claims.ClaimsPrincipal! principal, Microsoft.AspNetCore.Authentication.AuthenticationProperties! properties) -> void
+const Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectDefaults.AuthenticationScheme = "OpenIdConnect" -> string!
+override Microsoft.AspNetCore.Authentication.OpenIdConnect.Claims.UniqueJsonKeyClaimAction.Run(System.Text.Json.JsonElement userData, System.Security.Claims.ClaimsIdentity! identity, string! issuer) -> void
+override Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.CreateEventsAsync() -> System.Threading.Tasks.Task<object!>!
+override Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsync(Microsoft.AspNetCore.Authentication.AuthenticationProperties! properties) -> System.Threading.Tasks.Task!
+override Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync() -> System.Threading.Tasks.Task<Microsoft.AspNetCore.Authentication.HandleRequestResult!>!
+override Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRequestAsync() -> System.Threading.Tasks.Task<bool>!
+static Microsoft.AspNetCore.Authentication.ClaimActionCollectionUniqueExtensions.MapUniqueJsonKey(this Microsoft.AspNetCore.Authentication.OAuth.Claims.ClaimActionCollection! collection, string! claimType, string! jsonKey) -> void
+static Microsoft.AspNetCore.Authentication.ClaimActionCollectionUniqueExtensions.MapUniqueJsonKey(this Microsoft.AspNetCore.Authentication.OAuth.Claims.ClaimActionCollection! collection, string! claimType, string! jsonKey, string! valueType) -> void
+static Microsoft.Extensions.DependencyInjection.OpenIdConnectExtensions.AddOpenIdConnect(this Microsoft.AspNetCore.Authentication.AuthenticationBuilder! builder) -> Microsoft.AspNetCore.Authentication.AuthenticationBuilder!
+static Microsoft.Extensions.DependencyInjection.OpenIdConnectExtensions.AddOpenIdConnect(this Microsoft.AspNetCore.Authentication.AuthenticationBuilder! builder, System.Action<Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions!>! configureOptions) -> Microsoft.AspNetCore.Authentication.AuthenticationBuilder!
+static Microsoft.Extensions.DependencyInjection.OpenIdConnectExtensions.AddOpenIdConnect(this Microsoft.AspNetCore.Authentication.AuthenticationBuilder! builder, string! authenticationScheme, System.Action<Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions!>! configureOptions) -> Microsoft.AspNetCore.Authentication.AuthenticationBuilder!
+static Microsoft.Extensions.DependencyInjection.OpenIdConnectExtensions.AddOpenIdConnect(this Microsoft.AspNetCore.Authentication.AuthenticationBuilder! builder, string! authenticationScheme, string! displayName, System.Action<Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions!>! configureOptions) -> Microsoft.AspNetCore.Authentication.AuthenticationBuilder!
+static readonly Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectChallengeProperties.MaxAgeKey -> string!
+static readonly Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectChallengeProperties.PromptKey -> string!
+static readonly Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectDefaults.AuthenticationPropertiesKey -> string!
+static readonly Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectDefaults.CookieNoncePrefix -> string!
+static readonly Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectDefaults.DisplayName -> string!
+static readonly Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectDefaults.RedirectUriForCodePropertiesKey -> string!
+static readonly Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectDefaults.UserstatePropertiesKey -> string!
+virtual Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.AuthenticationFailed(Microsoft.AspNetCore.Authentication.OpenIdConnect.AuthenticationFailedContext! context) -> System.Threading.Tasks.Task!
+virtual Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.AuthorizationCodeReceived(Microsoft.AspNetCore.Authentication.OpenIdConnect.AuthorizationCodeReceivedContext! context) -> System.Threading.Tasks.Task!
+virtual Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.MessageReceived(Microsoft.AspNetCore.Authentication.OpenIdConnect.MessageReceivedContext! context) -> System.Threading.Tasks.Task!
+virtual Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.RedirectToIdentityProvider(Microsoft.AspNetCore.Authentication.OpenIdConnect.RedirectContext! context) -> System.Threading.Tasks.Task!
+virtual Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.RedirectToIdentityProviderForSignOut(Microsoft.AspNetCore.Authentication.OpenIdConnect.RedirectContext! context) -> System.Threading.Tasks.Task!
+virtual Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.RemoteSignOut(Microsoft.AspNetCore.Authentication.OpenIdConnect.RemoteSignOutContext! context) -> System.Threading.Tasks.Task!
+virtual Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.SignedOutCallbackRedirect(Microsoft.AspNetCore.Authentication.OpenIdConnect.RemoteSignOutContext! context) -> System.Threading.Tasks.Task!
+virtual Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.TokenResponseReceived(Microsoft.AspNetCore.Authentication.OpenIdConnect.TokenResponseReceivedContext! context) -> System.Threading.Tasks.Task!
+virtual Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.TokenValidated(Microsoft.AspNetCore.Authentication.OpenIdConnect.TokenValidatedContext! context) -> System.Threading.Tasks.Task!
+virtual Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents.UserInformationReceived(Microsoft.AspNetCore.Authentication.OpenIdConnect.UserInformationReceivedContext! context) -> System.Threading.Tasks.Task!
+virtual Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.GetUserInformationAsync(Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage! message, System.IdentityModel.Tokens.Jwt.JwtSecurityToken! jwt, System.Security.Claims.ClaimsPrincipal! principal, Microsoft.AspNetCore.Authentication.AuthenticationProperties! properties) -> System.Threading.Tasks.Task<Microsoft.AspNetCore.Authentication.HandleRequestResult!>!
+virtual Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteSignOutAsync() -> System.Threading.Tasks.Task<bool>!
+virtual Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleSignOutCallbackAsync() -> System.Threading.Tasks.Task<bool>!
+virtual Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage! tokenEndpointRequest) -> System.Threading.Tasks.Task<Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage!>!
+virtual Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.SignOutAsync(Microsoft.AspNetCore.Authentication.AuthenticationProperties? properties) -> System.Threading.Tasks.Task!
diff --git a/src/Security/Authentication/Twitter/src/LoggingExtensions.cs b/src/Security/Authentication/Twitter/src/LoggingExtensions.cs
index 69fdfe143e3c..c6a50793ae1b 100644
--- a/src/Security/Authentication/Twitter/src/LoggingExtensions.cs
+++ b/src/Security/Authentication/Twitter/src/LoggingExtensions.cs
@@ -7,9 +7,9 @@ namespace Microsoft.Extensions.Logging
 {
     internal static class LoggingExtensions
     {
-        private static Action<ILogger, Exception> _obtainRequestToken;
-        private static Action<ILogger, Exception> _obtainAccessToken;
-        private static Action<ILogger, Exception> _retrieveUserDetails;
+        private static Action<ILogger, Exception?> _obtainRequestToken;
+        private static Action<ILogger, Exception?> _obtainAccessToken;
+        private static Action<ILogger, Exception?> _retrieveUserDetails;
 
         static LoggingExtensions()
         {
diff --git a/src/Security/Authentication/Twitter/src/Messages/AccessToken.cs b/src/Security/Authentication/Twitter/src/Messages/AccessToken.cs
index 550163bec890..1d89697b6c5d 100644
--- a/src/Security/Authentication/Twitter/src/Messages/AccessToken.cs
+++ b/src/Security/Authentication/Twitter/src/Messages/AccessToken.cs
@@ -11,11 +11,11 @@ public class AccessToken : RequestToken
         /// <summary>
         /// Gets or sets the Twitter User ID.
         /// </summary>
-        public string UserId { get; set; }
+        public string UserId { get; set; } = default!;
 
         /// <summary>
         /// Gets or sets the Twitter screen name.
         /// </summary>
-        public string ScreenName { get; set; }
+        public string ScreenName { get; set; } = default!;
     }
 }
diff --git a/src/Security/Authentication/Twitter/src/Messages/RequestToken.cs b/src/Security/Authentication/Twitter/src/Messages/RequestToken.cs
index 5f637fed39b0..bc2434faf693 100644
--- a/src/Security/Authentication/Twitter/src/Messages/RequestToken.cs
+++ b/src/Security/Authentication/Twitter/src/Messages/RequestToken.cs
@@ -11,12 +11,12 @@ public class RequestToken
         /// <summary>
         /// Gets or sets the Twitter request token.
         /// </summary>
-        public string Token { get; set; }
+        public string Token { get; set; } = default!;
 
         /// <summary>
         /// Gets or sets the Twitter token secret.
         /// </summary>
-        public string TokenSecret { get; set; }
+        public string TokenSecret { get; set; } = default!;
 
         /// <summary>
         /// Gets or sets whether the callback was confirmed.
@@ -26,6 +26,6 @@ public class RequestToken
         /// <summary>
         /// Gets or sets a property bag for common authentication properties.
         /// </summary>
-        public AuthenticationProperties Properties { get; set; }
+        public AuthenticationProperties Properties { get; set; } = default!;
     }
 }
diff --git a/src/Security/Authentication/Twitter/src/Messages/RequestTokenSerializer.cs b/src/Security/Authentication/Twitter/src/Messages/RequestTokenSerializer.cs
index f91a80ba2096..8b033cfbc7f7 100644
--- a/src/Security/Authentication/Twitter/src/Messages/RequestTokenSerializer.cs
+++ b/src/Security/Authentication/Twitter/src/Messages/RequestTokenSerializer.cs
@@ -36,7 +36,7 @@ public virtual byte[] Serialize(RequestToken model)
         /// </summary>
         /// <param name="data">A byte array containing the serialized token</param>
         /// <returns>The Twitter request token</returns>
-        public virtual RequestToken Deserialize(byte[] data)
+        public virtual RequestToken? Deserialize(byte[] data)
         {
             using (var memory = new MemoryStream(data))
             {
@@ -76,7 +76,7 @@ public static void Write(BinaryWriter writer, RequestToken token)
         /// </summary>
         /// <param name="reader">The reader to use in reading the token bytes</param>
         /// <returns>The token</returns>
-        public static RequestToken Read(BinaryReader reader)
+        public static RequestToken? Read(BinaryReader reader)
         {
             if (reader == null)
             {
@@ -91,7 +91,7 @@ public static RequestToken Read(BinaryReader reader)
             string token = reader.ReadString();
             string tokenSecret = reader.ReadString();
             bool callbackConfirmed = reader.ReadBoolean();
-            AuthenticationProperties properties = PropertiesSerializer.Default.Read(reader);
+            AuthenticationProperties? properties = PropertiesSerializer.Default.Read(reader);
             if (properties == null)
             {
                 return null;
diff --git a/src/Security/Authentication/Twitter/src/Microsoft.AspNetCore.Authentication.Twitter.csproj b/src/Security/Authentication/Twitter/src/Microsoft.AspNetCore.Authentication.Twitter.csproj
index 74950e202d30..194713d2ce3a 100644
--- a/src/Security/Authentication/Twitter/src/Microsoft.AspNetCore.Authentication.Twitter.csproj
+++ b/src/Security/Authentication/Twitter/src/Microsoft.AspNetCore.Authentication.Twitter.csproj
@@ -1,10 +1,11 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
     <Description>ASP.NET Core middleware that enables an application to support Twitter's OAuth 1.0 authentication workflow.</Description>
     <TargetFramework>$(DefaultNetCoreTargetFramework)</TargetFramework>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageTags>aspnetcore;authentication;security</PackageTags>
+    <Nullable>enable</Nullable>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/src/Security/Authentication/Twitter/src/PublicAPI.Unshipped.txt b/src/Security/Authentication/Twitter/src/PublicAPI.Unshipped.txt
index 7dc5c58110bf..24ab5ae851dd 100644
--- a/src/Security/Authentication/Twitter/src/PublicAPI.Unshipped.txt
+++ b/src/Security/Authentication/Twitter/src/PublicAPI.Unshipped.txt
@@ -1 +1,54 @@
 #nullable enable
+*REMOVED*~Microsoft.AspNetCore.Authentication.Twitter.TwitterOptions.ConsumerKey.get -> string
+*REMOVED*~Microsoft.AspNetCore.Authentication.Twitter.TwitterOptions.ConsumerSecret.get -> string
+Microsoft.AspNetCore.Authentication.Twitter.AccessToken.ScreenName.get -> string!
+Microsoft.AspNetCore.Authentication.Twitter.AccessToken.ScreenName.set -> void
+Microsoft.AspNetCore.Authentication.Twitter.AccessToken.UserId.get -> string!
+Microsoft.AspNetCore.Authentication.Twitter.AccessToken.UserId.set -> void
+Microsoft.AspNetCore.Authentication.Twitter.RequestToken.Properties.get -> Microsoft.AspNetCore.Authentication.AuthenticationProperties!
+Microsoft.AspNetCore.Authentication.Twitter.RequestToken.Properties.set -> void
+Microsoft.AspNetCore.Authentication.Twitter.RequestToken.Token.get -> string!
+Microsoft.AspNetCore.Authentication.Twitter.RequestToken.Token.set -> void
+Microsoft.AspNetCore.Authentication.Twitter.RequestToken.TokenSecret.get -> string!
+Microsoft.AspNetCore.Authentication.Twitter.RequestToken.TokenSecret.set -> void
+Microsoft.AspNetCore.Authentication.Twitter.TwitterCreatingTicketContext.AccessToken.get -> string!
+Microsoft.AspNetCore.Authentication.Twitter.TwitterCreatingTicketContext.AccessTokenSecret.get -> string!
+Microsoft.AspNetCore.Authentication.Twitter.TwitterCreatingTicketContext.ScreenName.get -> string!
+Microsoft.AspNetCore.Authentication.Twitter.TwitterCreatingTicketContext.TwitterCreatingTicketContext(Microsoft.AspNetCore.Http.HttpContext! context, Microsoft.AspNetCore.Authentication.AuthenticationScheme! scheme, Microsoft.AspNetCore.Authentication.Twitter.TwitterOptions! options, System.Security.Claims.ClaimsPrincipal! principal, Microsoft.AspNetCore.Authentication.AuthenticationProperties! properties, string! userId, string! screenName, string! accessToken, string! accessTokenSecret, System.Text.Json.JsonElement user) -> void
+Microsoft.AspNetCore.Authentication.Twitter.TwitterCreatingTicketContext.UserId.get -> string!
+Microsoft.AspNetCore.Authentication.Twitter.TwitterEvents.OnCreatingTicket.get -> System.Func<Microsoft.AspNetCore.Authentication.Twitter.TwitterCreatingTicketContext!, System.Threading.Tasks.Task!>!
+Microsoft.AspNetCore.Authentication.Twitter.TwitterEvents.OnCreatingTicket.set -> void
+Microsoft.AspNetCore.Authentication.Twitter.TwitterEvents.OnRedirectToAuthorizationEndpoint.get -> System.Func<Microsoft.AspNetCore.Authentication.RedirectContext<Microsoft.AspNetCore.Authentication.Twitter.TwitterOptions!>!, System.Threading.Tasks.Task!>!
+Microsoft.AspNetCore.Authentication.Twitter.TwitterEvents.OnRedirectToAuthorizationEndpoint.set -> void
+Microsoft.AspNetCore.Authentication.Twitter.TwitterHandler.Events.get -> Microsoft.AspNetCore.Authentication.Twitter.TwitterEvents!
+Microsoft.AspNetCore.Authentication.Twitter.TwitterHandler.Events.set -> void
+Microsoft.AspNetCore.Authentication.Twitter.TwitterHandler.TwitterHandler(Microsoft.Extensions.Options.IOptionsMonitor<Microsoft.AspNetCore.Authentication.Twitter.TwitterOptions!>! options, Microsoft.Extensions.Logging.ILoggerFactory! logger, System.Text.Encodings.Web.UrlEncoder! encoder, Microsoft.AspNetCore.Authentication.ISystemClock! clock) -> void
+Microsoft.AspNetCore.Authentication.Twitter.TwitterOptions.ClaimActions.get -> Microsoft.AspNetCore.Authentication.OAuth.Claims.ClaimActionCollection!
+Microsoft.AspNetCore.Authentication.Twitter.TwitterOptions.ConsumerKey.get -> string?
+Microsoft.AspNetCore.Authentication.Twitter.TwitterOptions.ConsumerKey.set -> void
+Microsoft.AspNetCore.Authentication.Twitter.TwitterOptions.ConsumerSecret.get -> string?
+Microsoft.AspNetCore.Authentication.Twitter.TwitterOptions.ConsumerSecret.set -> void
+Microsoft.AspNetCore.Authentication.Twitter.TwitterOptions.Events.get -> Microsoft.AspNetCore.Authentication.Twitter.TwitterEvents!
+Microsoft.AspNetCore.Authentication.Twitter.TwitterOptions.Events.set -> void
+Microsoft.AspNetCore.Authentication.Twitter.TwitterOptions.StateCookie.get -> Microsoft.AspNetCore.Http.CookieBuilder!
+Microsoft.AspNetCore.Authentication.Twitter.TwitterOptions.StateCookie.set -> void
+Microsoft.AspNetCore.Authentication.Twitter.TwitterOptions.StateDataFormat.get -> Microsoft.AspNetCore.Authentication.ISecureDataFormat<Microsoft.AspNetCore.Authentication.Twitter.RequestToken!>!
+Microsoft.AspNetCore.Authentication.Twitter.TwitterOptions.StateDataFormat.set -> void
+Microsoft.AspNetCore.Authentication.Twitter.TwitterPostConfigureOptions.PostConfigure(string! name, Microsoft.AspNetCore.Authentication.Twitter.TwitterOptions! options) -> void
+Microsoft.AspNetCore.Authentication.Twitter.TwitterPostConfigureOptions.TwitterPostConfigureOptions(Microsoft.AspNetCore.DataProtection.IDataProtectionProvider! dataProtection) -> void
+const Microsoft.AspNetCore.Authentication.Twitter.TwitterDefaults.AuthenticationScheme = "Twitter" -> string!
+override Microsoft.AspNetCore.Authentication.Twitter.TwitterHandler.CreateEventsAsync() -> System.Threading.Tasks.Task<object!>!
+override Microsoft.AspNetCore.Authentication.Twitter.TwitterHandler.HandleChallengeAsync(Microsoft.AspNetCore.Authentication.AuthenticationProperties! properties) -> System.Threading.Tasks.Task!
+override Microsoft.AspNetCore.Authentication.Twitter.TwitterHandler.HandleRemoteAuthenticateAsync() -> System.Threading.Tasks.Task<Microsoft.AspNetCore.Authentication.HandleRequestResult!>!
+static Microsoft.AspNetCore.Authentication.Twitter.RequestTokenSerializer.Read(System.IO.BinaryReader! reader) -> Microsoft.AspNetCore.Authentication.Twitter.RequestToken?
+static Microsoft.AspNetCore.Authentication.Twitter.RequestTokenSerializer.Write(System.IO.BinaryWriter! writer, Microsoft.AspNetCore.Authentication.Twitter.RequestToken! token) -> void
+static Microsoft.Extensions.DependencyInjection.TwitterExtensions.AddTwitter(this Microsoft.AspNetCore.Authentication.AuthenticationBuilder! builder) -> Microsoft.AspNetCore.Authentication.AuthenticationBuilder!
+static Microsoft.Extensions.DependencyInjection.TwitterExtensions.AddTwitter(this Microsoft.AspNetCore.Authentication.AuthenticationBuilder! builder, System.Action<Microsoft.AspNetCore.Authentication.Twitter.TwitterOptions!>! configureOptions) -> Microsoft.AspNetCore.Authentication.AuthenticationBuilder!
+static Microsoft.Extensions.DependencyInjection.TwitterExtensions.AddTwitter(this Microsoft.AspNetCore.Authentication.AuthenticationBuilder! builder, string! authenticationScheme, System.Action<Microsoft.AspNetCore.Authentication.Twitter.TwitterOptions!>! configureOptions) -> Microsoft.AspNetCore.Authentication.AuthenticationBuilder!
+static Microsoft.Extensions.DependencyInjection.TwitterExtensions.AddTwitter(this Microsoft.AspNetCore.Authentication.AuthenticationBuilder! builder, string! authenticationScheme, string! displayName, System.Action<Microsoft.AspNetCore.Authentication.Twitter.TwitterOptions!>! configureOptions) -> Microsoft.AspNetCore.Authentication.AuthenticationBuilder!
+static readonly Microsoft.AspNetCore.Authentication.Twitter.TwitterDefaults.DisplayName -> string!
+virtual Microsoft.AspNetCore.Authentication.Twitter.RequestTokenSerializer.Deserialize(byte[]! data) -> Microsoft.AspNetCore.Authentication.Twitter.RequestToken?
+virtual Microsoft.AspNetCore.Authentication.Twitter.RequestTokenSerializer.Serialize(Microsoft.AspNetCore.Authentication.Twitter.RequestToken! model) -> byte[]!
+virtual Microsoft.AspNetCore.Authentication.Twitter.TwitterEvents.CreatingTicket(Microsoft.AspNetCore.Authentication.Twitter.TwitterCreatingTicketContext! context) -> System.Threading.Tasks.Task!
+virtual Microsoft.AspNetCore.Authentication.Twitter.TwitterEvents.RedirectToAuthorizationEndpoint(Microsoft.AspNetCore.Authentication.RedirectContext<Microsoft.AspNetCore.Authentication.Twitter.TwitterOptions!>! context) -> System.Threading.Tasks.Task!
+virtual Microsoft.AspNetCore.Authentication.Twitter.TwitterHandler.CreateTicketAsync(System.Security.Claims.ClaimsIdentity! identity, Microsoft.AspNetCore.Authentication.AuthenticationProperties! properties, Microsoft.AspNetCore.Authentication.Twitter.AccessToken! token, System.Text.Json.JsonElement user) -> System.Threading.Tasks.Task<Microsoft.AspNetCore.Authentication.AuthenticationTicket!>!
diff --git a/src/Security/Authentication/Twitter/src/TwitterError.cs b/src/Security/Authentication/Twitter/src/TwitterError.cs
index b1d4f8a7fa0f..f429096861af 100644
--- a/src/Security/Authentication/Twitter/src/TwitterError.cs
+++ b/src/Security/Authentication/Twitter/src/TwitterError.cs
@@ -9,6 +9,6 @@ namespace Microsoft.AspNetCore.Authentication.Twitter
     internal class TwitterError
     {
         public int Code { get; set; }
-        public string Message { get; set; }
+        public string? Message { get; set; }
     }
 }
diff --git a/src/Security/Authentication/Twitter/src/TwitterErrorResponse.cs b/src/Security/Authentication/Twitter/src/TwitterErrorResponse.cs
index 160aa3c9a943..8e74dedf6215 100644
--- a/src/Security/Authentication/Twitter/src/TwitterErrorResponse.cs
+++ b/src/Security/Authentication/Twitter/src/TwitterErrorResponse.cs
@@ -8,6 +8,6 @@ namespace Microsoft.AspNetCore.Authentication.Twitter
 {
     internal class TwitterErrorResponse
     {
-        public List<TwitterError> Errors { get; set; }
+        public List<TwitterError>? Errors { get; set; }
     }
 }
diff --git a/src/Security/Authentication/Twitter/src/TwitterHandler.cs b/src/Security/Authentication/Twitter/src/TwitterHandler.cs
index ed14d47ec62d..db3a7fc83d9c 100644
--- a/src/Security/Authentication/Twitter/src/TwitterHandler.cs
+++ b/src/Security/Authentication/Twitter/src/TwitterHandler.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Collections.Generic;
+using System.Diagnostics;
 using System.Globalization;
 using System.Linq;
 using System.Net.Http;
@@ -59,7 +60,7 @@ public TwitterHandler(IOptionsMonitor<TwitterOptions> options, ILoggerFactory lo
         protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync()
         {
             var query = Request.Query;
-            var protectedRequestToken = Request.Cookies[Options.StateCookie.Name];
+            var protectedRequestToken = Request.Cookies[Options.StateCookie.Name!];
 
             var requestToken = Options.StateDataFormat.Unprotect(protectedRequestToken);
 
@@ -101,7 +102,7 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
 
             var cookieOptions = Options.StateCookie.Build(Context, Clock.UtcNow);
 
-            Response.Cookies.Delete(Options.StateCookie.Name, cookieOptions);
+            Response.Cookies.Delete(Options.StateCookie.Name!, cookieOptions);
 
             var accessToken = await ObtainAccessTokenAsync(requestToken, oauthVerifier);
 
@@ -158,7 +159,7 @@ protected virtual async Task<AuthenticationTicket> CreateTicketAsync(
             var context = new TwitterCreatingTicketContext(Context, Scheme, Options, new ClaimsPrincipal(identity), properties, token.UserId, token.ScreenName, token.Token, token.TokenSecret, user);
             await Events.CreatingTicket(context);
 
-            return new AuthenticationTicket(context.Principal, context.Properties, Scheme.Name);
+            return new AuthenticationTicket(context.Principal!, context.Properties, Scheme.Name);
         }
 
         /// <inheritdoc />
@@ -175,17 +176,17 @@ protected override async Task HandleChallengeAsync(AuthenticationProperties prop
 
             var cookieOptions = Options.StateCookie.Build(Context, Clock.UtcNow);
 
-            Response.Cookies.Append(Options.StateCookie.Name, Options.StateDataFormat.Protect(requestToken), cookieOptions);
+            Response.Cookies.Append(Options.StateCookie.Name!, Options.StateDataFormat.Protect(requestToken), cookieOptions);
 
             var redirectContext = new RedirectContext<TwitterOptions>(Context, Scheme, Options, properties, twitterAuthenticationEndpoint);
             await Events.RedirectToAuthorizationEndpoint(redirectContext);
         }
 
-        private async Task<HttpResponseMessage> ExecuteRequestAsync(string url, HttpMethod httpMethod, RequestToken accessToken = null, Dictionary<string, string> extraOAuthPairs = null, Dictionary<string, string> queryParameters = null, Dictionary<string, string> formData = null)
+        private async Task<HttpResponseMessage> ExecuteRequestAsync(string url, HttpMethod httpMethod, RequestToken? accessToken = null, Dictionary<string, string>? extraOAuthPairs = null, Dictionary<string, string>? queryParameters = null, Dictionary<string, string>? formData = null)
         {
             var authorizationParts = new SortedDictionary<string, string>(extraOAuthPairs ?? new Dictionary<string, string>())
             {
-                { "oauth_consumer_key", Options.ConsumerKey },
+                { "oauth_consumer_key", Options.ConsumerKey! },
                 { "oauth_nonce", Guid.NewGuid().ToString("N") },
                 { "oauth_signature_method", "HMAC-SHA1" },
                 { "oauth_timestamp", GenerateTimeStamp() },
@@ -228,7 +229,7 @@ private async Task<HttpResponseMessage> ExecuteRequestAsync(string url, HttpMeth
             canonicalizedRequestBuilder.Append('&');
             canonicalizedRequestBuilder.Append(Uri.EscapeDataString(parameterString));
 
-            var signature = ComputeSignature(Options.ConsumerSecret, accessToken?.TokenSecret, canonicalizedRequestBuilder.ToString());
+            var signature = ComputeSignature(Options.ConsumerSecret!, accessToken?.TokenSecret, canonicalizedRequestBuilder.ToString());
             authorizationParts.Add("oauth_signature", signature);
 
             var queryString = "";
@@ -259,7 +260,7 @@ private async Task<HttpResponseMessage> ExecuteRequestAsync(string url, HttpMeth
 
             if (formData != null)
             {
-                request.Content = new FormUrlEncodedContent(formData);
+                request.Content = new FormUrlEncodedContent(formData!);
             }
 
             return await Backchannel.SendAsync(request, Context.RequestAborted);
@@ -334,7 +335,7 @@ private string GenerateTimeStamp()
             return Convert.ToInt64(secondsSinceUnixEpocStart.TotalSeconds).ToString(CultureInfo.InvariantCulture);
         }
 
-        private static string ComputeSignature(string consumerSecret, string tokenSecret, string signatureData)
+        private static string ComputeSignature(string consumerSecret, string? tokenSecret, string signatureData)
         {
             using (var algorithm = new HMACSHA1())
             {
@@ -359,7 +360,7 @@ private async Task EnsureTwitterRequestSuccess(HttpResponseMessage response)
                 return;
             }
 
-            TwitterErrorResponse errorResponse;
+            TwitterErrorResponse? errorResponse;
             try
             {
                 // Failure, attempt to parse Twitters error message
@@ -382,10 +383,13 @@ private async Task EnsureTwitterRequestSuccess(HttpResponseMessage response)
 
             var errorMessageStringBuilder = new StringBuilder("An error has occurred while calling the Twitter API, error's returned:");
 
-            foreach (var error in errorResponse.Errors)
+            if (errorResponse.Errors != null)
             {
-                errorMessageStringBuilder.Append(Environment.NewLine);
-                errorMessageStringBuilder.Append($"Code: {error.Code}, Message: '{error.Message}'");
+                foreach (var error in errorResponse.Errors)
+                {
+                    errorMessageStringBuilder.Append(Environment.NewLine);
+                    errorMessageStringBuilder.Append($"Code: {error.Code}, Message: '{error.Message}'");
+                }
             }
 
             throw new InvalidOperationException(errorMessageStringBuilder.ToString());
diff --git a/src/Security/Authentication/Twitter/src/TwitterOptions.cs b/src/Security/Authentication/Twitter/src/TwitterOptions.cs
index 269516ae1adb..0487a1fa761f 100644
--- a/src/Security/Authentication/Twitter/src/TwitterOptions.cs
+++ b/src/Security/Authentication/Twitter/src/TwitterOptions.cs
@@ -43,13 +43,13 @@ public TwitterOptions()
         /// Gets or sets the consumer key used to communicate with Twitter.
         /// </summary>
         /// <value>The consumer key used to communicate with Twitter.</value>
-        public string ConsumerKey { get; set; }
+        public string? ConsumerKey { get; set; }
 
         /// <summary>
         /// Gets or sets the consumer secret used to sign requests to Twitter.
         /// </summary>
         /// <value>The consumer secret used to sign requests to Twitter.</value>
-        public string ConsumerSecret { get; set; }
+        public string? ConsumerSecret { get; set; }
 
         /// <summary>
         /// Enables the retrieval user details during the authentication process, including
@@ -67,7 +67,7 @@ public TwitterOptions()
         /// <summary>
         /// Gets or sets the type used to secure data handled by the handler.
         /// </summary>
-        public ISecureDataFormat<RequestToken> StateDataFormat { get; set; }
+        public ISecureDataFormat<RequestToken> StateDataFormat { get; set; } = default!;
 
         /// <summary>
         /// Gets or sets the <see cref="TwitterEvents"/> used to handle authentication events.
diff --git a/src/Security/Authentication/Twitter/src/TwitterPostConfigureOptions.cs b/src/Security/Authentication/Twitter/src/TwitterPostConfigureOptions.cs
index 91b6eeedebd0..5cf27bed476e 100644
--- a/src/Security/Authentication/Twitter/src/TwitterPostConfigureOptions.cs
+++ b/src/Security/Authentication/Twitter/src/TwitterPostConfigureOptions.cs
@@ -35,7 +35,7 @@ public void PostConfigure(string name, TwitterOptions options)
             if (options.StateDataFormat == null)
             {
                 var dataProtector = options.DataProtectionProvider.CreateProtector(
-                    typeof(TwitterHandler).FullName, name, "v1");
+                    typeof(TwitterHandler).FullName!, name, "v1");
                 options.StateDataFormat = new SecureDataFormat<RequestToken>(
                     new RequestTokenSerializer(),
                     dataProtector);
diff --git a/src/Security/Authentication/WsFederation/src/AuthenticationFailedContext.cs b/src/Security/Authentication/WsFederation/src/AuthenticationFailedContext.cs
index f643fad97f0e..5edb943b5e8e 100644
--- a/src/Security/Authentication/WsFederation/src/AuthenticationFailedContext.cs
+++ b/src/Security/Authentication/WsFederation/src/AuthenticationFailedContext.cs
@@ -25,11 +25,11 @@ public AuthenticationFailedContext(HttpContext context, AuthenticationScheme sch
         /// <summary>
         /// The <see cref="WsFederationMessage"/> from the request, if any.
         /// </summary>
-        public WsFederationMessage ProtocolMessage { get; set; }
+        public WsFederationMessage ProtocolMessage { get; set; } = default!;
 
         /// <summary>
         /// The <see cref="Exception"/> that triggered this event.
         /// </summary>
-        public Exception Exception { get; set; }
+        public Exception Exception { get; set; } = default!;
     }
-}
\ No newline at end of file
+}
diff --git a/src/Security/Authentication/WsFederation/src/LoggingExtensions.cs b/src/Security/Authentication/WsFederation/src/LoggingExtensions.cs
index 270dd6ffce18..8976c21bff27 100644
--- a/src/Security/Authentication/WsFederation/src/LoggingExtensions.cs
+++ b/src/Security/Authentication/WsFederation/src/LoggingExtensions.cs
@@ -7,13 +7,13 @@ namespace Microsoft.Extensions.Logging
 {
     internal static class LoggingExtensions
     {
-        private static Action<ILogger, Exception> _signInWithoutWResult;
-        private static Action<ILogger, Exception> _signInWithoutToken;
+        private static Action<ILogger, Exception?> _signInWithoutWResult;
+        private static Action<ILogger, Exception?> _signInWithoutToken;
         private static Action<ILogger, Exception> _exceptionProcessingMessage;
-        private static Action<ILogger, string, Exception> _malformedRedirectUri;
-        private static Action<ILogger, Exception> _remoteSignOutHandledResponse;
-        private static Action<ILogger, Exception> _remoteSignOutSkipped;
-        private static Action<ILogger, Exception> _remoteSignOut;
+        private static Action<ILogger, string, Exception?> _malformedRedirectUri;
+        private static Action<ILogger, Exception?> _remoteSignOutHandledResponse;
+        private static Action<ILogger, Exception?> _remoteSignOutSkipped;
+        private static Action<ILogger, Exception?> _remoteSignOut;
 
         static LoggingExtensions()
         {
diff --git a/src/Security/Authentication/WsFederation/src/MessageReceivedContext.cs b/src/Security/Authentication/WsFederation/src/MessageReceivedContext.cs
index 4028fa5e3c83..94dd448114a0 100644
--- a/src/Security/Authentication/WsFederation/src/MessageReceivedContext.cs
+++ b/src/Security/Authentication/WsFederation/src/MessageReceivedContext.cs
@@ -22,12 +22,12 @@ public MessageReceivedContext(
             HttpContext context,
             AuthenticationScheme scheme,
             WsFederationOptions options,
-            AuthenticationProperties properties)
+            AuthenticationProperties? properties)
             : base(context, scheme, options, properties) { }
 
         /// <summary>
         /// The <see cref="WsFederationMessage"/> received on this request.
         /// </summary>
-        public WsFederationMessage ProtocolMessage { get; set; }
+        public WsFederationMessage ProtocolMessage { get; set; } = default!;
     }
-}
\ No newline at end of file
+}
diff --git a/src/Security/Authentication/WsFederation/src/Microsoft.AspNetCore.Authentication.WsFederation.csproj b/src/Security/Authentication/WsFederation/src/Microsoft.AspNetCore.Authentication.WsFederation.csproj
index cb8c41d10840..f14899cafe6c 100644
--- a/src/Security/Authentication/WsFederation/src/Microsoft.AspNetCore.Authentication.WsFederation.csproj
+++ b/src/Security/Authentication/WsFederation/src/Microsoft.AspNetCore.Authentication.WsFederation.csproj
@@ -5,6 +5,7 @@
     <TargetFramework>$(DefaultNetCoreTargetFramework)</TargetFramework>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageTags>aspnetcore;authentication;security</PackageTags>
+    <Nullable>enable</Nullable>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/src/Security/Authentication/WsFederation/src/PublicAPI.Unshipped.txt b/src/Security/Authentication/WsFederation/src/PublicAPI.Unshipped.txt
index 7dc5c58110bf..ab3bc9f534ea 100644
--- a/src/Security/Authentication/WsFederation/src/PublicAPI.Unshipped.txt
+++ b/src/Security/Authentication/WsFederation/src/PublicAPI.Unshipped.txt
@@ -1 +1,80 @@
 #nullable enable
+Microsoft.AspNetCore.Authentication.WsFederation.AuthenticationFailedContext.AuthenticationFailedContext(Microsoft.AspNetCore.Http.HttpContext! context, Microsoft.AspNetCore.Authentication.AuthenticationScheme! scheme, Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions! options) -> void
+Microsoft.AspNetCore.Authentication.WsFederation.AuthenticationFailedContext.Exception.get -> System.Exception!
+Microsoft.AspNetCore.Authentication.WsFederation.AuthenticationFailedContext.Exception.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.AuthenticationFailedContext.ProtocolMessage.get -> Microsoft.IdentityModel.Protocols.WsFederation.WsFederationMessage!
+Microsoft.AspNetCore.Authentication.WsFederation.AuthenticationFailedContext.ProtocolMessage.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.MessageReceivedContext.MessageReceivedContext(Microsoft.AspNetCore.Http.HttpContext! context, Microsoft.AspNetCore.Authentication.AuthenticationScheme! scheme, Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions! options, Microsoft.AspNetCore.Authentication.AuthenticationProperties? properties) -> void
+Microsoft.AspNetCore.Authentication.WsFederation.MessageReceivedContext.ProtocolMessage.get -> Microsoft.IdentityModel.Protocols.WsFederation.WsFederationMessage!
+Microsoft.AspNetCore.Authentication.WsFederation.MessageReceivedContext.ProtocolMessage.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.RedirectContext.ProtocolMessage.get -> Microsoft.IdentityModel.Protocols.WsFederation.WsFederationMessage!
+Microsoft.AspNetCore.Authentication.WsFederation.RedirectContext.ProtocolMessage.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.RedirectContext.RedirectContext(Microsoft.AspNetCore.Http.HttpContext! context, Microsoft.AspNetCore.Authentication.AuthenticationScheme! scheme, Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions! options, Microsoft.AspNetCore.Authentication.AuthenticationProperties? properties) -> void
+Microsoft.AspNetCore.Authentication.WsFederation.RemoteSignOutContext.ProtocolMessage.get -> Microsoft.IdentityModel.Protocols.WsFederation.WsFederationMessage!
+Microsoft.AspNetCore.Authentication.WsFederation.RemoteSignOutContext.ProtocolMessage.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.RemoteSignOutContext.RemoteSignOutContext(Microsoft.AspNetCore.Http.HttpContext! context, Microsoft.AspNetCore.Authentication.AuthenticationScheme! scheme, Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions! options, Microsoft.IdentityModel.Protocols.WsFederation.WsFederationMessage! message) -> void
+Microsoft.AspNetCore.Authentication.WsFederation.SecurityTokenReceivedContext.ProtocolMessage.get -> Microsoft.IdentityModel.Protocols.WsFederation.WsFederationMessage!
+Microsoft.AspNetCore.Authentication.WsFederation.SecurityTokenReceivedContext.ProtocolMessage.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.SecurityTokenReceivedContext.SecurityTokenReceivedContext(Microsoft.AspNetCore.Http.HttpContext! context, Microsoft.AspNetCore.Authentication.AuthenticationScheme! scheme, Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions! options, Microsoft.AspNetCore.Authentication.AuthenticationProperties! properties) -> void
+Microsoft.AspNetCore.Authentication.WsFederation.SecurityTokenValidatedContext.ProtocolMessage.get -> Microsoft.IdentityModel.Protocols.WsFederation.WsFederationMessage!
+Microsoft.AspNetCore.Authentication.WsFederation.SecurityTokenValidatedContext.ProtocolMessage.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.SecurityTokenValidatedContext.SecurityToken.get -> Microsoft.IdentityModel.Tokens.SecurityToken?
+Microsoft.AspNetCore.Authentication.WsFederation.SecurityTokenValidatedContext.SecurityToken.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.SecurityTokenValidatedContext.SecurityTokenValidatedContext(Microsoft.AspNetCore.Http.HttpContext! context, Microsoft.AspNetCore.Authentication.AuthenticationScheme! scheme, Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions! options, System.Security.Claims.ClaimsPrincipal! principal, Microsoft.AspNetCore.Authentication.AuthenticationProperties! properties) -> void
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationEvents.OnAuthenticationFailed.get -> System.Func<Microsoft.AspNetCore.Authentication.WsFederation.AuthenticationFailedContext!, System.Threading.Tasks.Task!>!
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationEvents.OnAuthenticationFailed.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationEvents.OnMessageReceived.get -> System.Func<Microsoft.AspNetCore.Authentication.WsFederation.MessageReceivedContext!, System.Threading.Tasks.Task!>!
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationEvents.OnMessageReceived.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationEvents.OnRedirectToIdentityProvider.get -> System.Func<Microsoft.AspNetCore.Authentication.WsFederation.RedirectContext!, System.Threading.Tasks.Task!>!
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationEvents.OnRedirectToIdentityProvider.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationEvents.OnRemoteSignOut.get -> System.Func<Microsoft.AspNetCore.Authentication.WsFederation.RemoteSignOutContext!, System.Threading.Tasks.Task!>!
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationEvents.OnRemoteSignOut.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationEvents.OnSecurityTokenReceived.get -> System.Func<Microsoft.AspNetCore.Authentication.WsFederation.SecurityTokenReceivedContext!, System.Threading.Tasks.Task!>!
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationEvents.OnSecurityTokenReceived.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationEvents.OnSecurityTokenValidated.get -> System.Func<Microsoft.AspNetCore.Authentication.WsFederation.SecurityTokenValidatedContext!, System.Threading.Tasks.Task!>!
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationEvents.OnSecurityTokenValidated.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler.Events.get -> Microsoft.AspNetCore.Authentication.WsFederation.WsFederationEvents!
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler.Events.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler.WsFederationHandler(Microsoft.Extensions.Options.IOptionsMonitor<Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions!>! options, Microsoft.Extensions.Logging.ILoggerFactory! logger, System.Text.Encodings.Web.UrlEncoder! encoder, Microsoft.AspNetCore.Authentication.ISystemClock! clock) -> void
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.Configuration.get -> Microsoft.IdentityModel.Protocols.WsFederation.WsFederationConfiguration?
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.Configuration.set -> void
+~Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.ConfigurationManager.get -> Microsoft.IdentityModel.Protocols.IConfigurationManager<Microsoft.IdentityModel.Protocols.WsFederation.WsFederationConfiguration!>!
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.Events.get -> Microsoft.AspNetCore.Authentication.WsFederation.WsFederationEvents!
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.Events.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.MetadataAddress.get -> string?
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.MetadataAddress.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.SecurityTokenHandlers.get -> System.Collections.Generic.ICollection<Microsoft.IdentityModel.Tokens.ISecurityTokenValidator!>!
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.SecurityTokenHandlers.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.SignOutScheme.get -> string?
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.SignOutScheme.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.SignOutWreply.get -> string?
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.SignOutWreply.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.StateDataFormat.get -> Microsoft.AspNetCore.Authentication.ISecureDataFormat<Microsoft.AspNetCore.Authentication.AuthenticationProperties!>!
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.StateDataFormat.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.TokenValidationParameters.get -> Microsoft.IdentityModel.Tokens.TokenValidationParameters!
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.TokenValidationParameters.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.Wreply.get -> string?
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.Wreply.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.Wtrealm.get -> string?
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions.Wtrealm.set -> void
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationPostConfigureOptions.PostConfigure(string! name, Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions! options) -> void
+Microsoft.AspNetCore.Authentication.WsFederation.WsFederationPostConfigureOptions.WsFederationPostConfigureOptions(Microsoft.AspNetCore.DataProtection.IDataProtectionProvider! dataProtection) -> void
+const Microsoft.AspNetCore.Authentication.WsFederation.WsFederationDefaults.AuthenticationScheme = "WsFederation" -> string!
+const Microsoft.AspNetCore.Authentication.WsFederation.WsFederationDefaults.DisplayName = "WsFederation" -> string!
+override Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler.CreateEventsAsync() -> System.Threading.Tasks.Task<object!>!
+override Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler.HandleChallengeAsync(Microsoft.AspNetCore.Authentication.AuthenticationProperties! properties) -> System.Threading.Tasks.Task!
+override Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler.HandleRemoteAuthenticateAsync() -> System.Threading.Tasks.Task<Microsoft.AspNetCore.Authentication.HandleRequestResult!>!
+override Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler.HandleRequestAsync() -> System.Threading.Tasks.Task<bool>!
+static Microsoft.Extensions.DependencyInjection.WsFederationExtensions.AddWsFederation(this Microsoft.AspNetCore.Authentication.AuthenticationBuilder! builder) -> Microsoft.AspNetCore.Authentication.AuthenticationBuilder!
+static Microsoft.Extensions.DependencyInjection.WsFederationExtensions.AddWsFederation(this Microsoft.AspNetCore.Authentication.AuthenticationBuilder! builder, System.Action<Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions!>! configureOptions) -> Microsoft.AspNetCore.Authentication.AuthenticationBuilder!
+static Microsoft.Extensions.DependencyInjection.WsFederationExtensions.AddWsFederation(this Microsoft.AspNetCore.Authentication.AuthenticationBuilder! builder, string! authenticationScheme, System.Action<Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions!>! configureOptions) -> Microsoft.AspNetCore.Authentication.AuthenticationBuilder!
+static Microsoft.Extensions.DependencyInjection.WsFederationExtensions.AddWsFederation(this Microsoft.AspNetCore.Authentication.AuthenticationBuilder! builder, string! authenticationScheme, string! displayName, System.Action<Microsoft.AspNetCore.Authentication.WsFederation.WsFederationOptions!>! configureOptions) -> Microsoft.AspNetCore.Authentication.AuthenticationBuilder!
+static readonly Microsoft.AspNetCore.Authentication.WsFederation.WsFederationDefaults.UserstatePropertiesKey -> string!
+virtual Microsoft.AspNetCore.Authentication.WsFederation.WsFederationEvents.AuthenticationFailed(Microsoft.AspNetCore.Authentication.WsFederation.AuthenticationFailedContext! context) -> System.Threading.Tasks.Task!
+virtual Microsoft.AspNetCore.Authentication.WsFederation.WsFederationEvents.MessageReceived(Microsoft.AspNetCore.Authentication.WsFederation.MessageReceivedContext! context) -> System.Threading.Tasks.Task!
+virtual Microsoft.AspNetCore.Authentication.WsFederation.WsFederationEvents.RedirectToIdentityProvider(Microsoft.AspNetCore.Authentication.WsFederation.RedirectContext! context) -> System.Threading.Tasks.Task!
+virtual Microsoft.AspNetCore.Authentication.WsFederation.WsFederationEvents.RemoteSignOut(Microsoft.AspNetCore.Authentication.WsFederation.RemoteSignOutContext! context) -> System.Threading.Tasks.Task!
+virtual Microsoft.AspNetCore.Authentication.WsFederation.WsFederationEvents.SecurityTokenReceived(Microsoft.AspNetCore.Authentication.WsFederation.SecurityTokenReceivedContext! context) -> System.Threading.Tasks.Task!
+virtual Microsoft.AspNetCore.Authentication.WsFederation.WsFederationEvents.SecurityTokenValidated(Microsoft.AspNetCore.Authentication.WsFederation.SecurityTokenValidatedContext! context) -> System.Threading.Tasks.Task!
+virtual Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler.HandleRemoteSignOutAsync() -> System.Threading.Tasks.Task<bool>!
+virtual Microsoft.AspNetCore.Authentication.WsFederation.WsFederationHandler.SignOutAsync(Microsoft.AspNetCore.Authentication.AuthenticationProperties? properties) -> System.Threading.Tasks.Task!
diff --git a/src/Security/Authentication/WsFederation/src/RedirectContext.cs b/src/Security/Authentication/WsFederation/src/RedirectContext.cs
index 654037d0a8d8..639e1e25973d 100644
--- a/src/Security/Authentication/WsFederation/src/RedirectContext.cs
+++ b/src/Security/Authentication/WsFederation/src/RedirectContext.cs
@@ -23,13 +23,13 @@ public RedirectContext(
             HttpContext context,
             AuthenticationScheme scheme,
             WsFederationOptions options,
-            AuthenticationProperties properties)
+            AuthenticationProperties? properties)
             : base(context, scheme, options, properties) { }
 
         /// <summary>
         /// The <see cref="WsFederationMessage"/> used to compose the redirect.
         /// </summary>
-        public WsFederationMessage ProtocolMessage { get; set; }
+        public WsFederationMessage ProtocolMessage { get; set; } = default!;
 
         /// <summary>
         /// If true, will skip any default logic for this redirect.
@@ -41,4 +41,4 @@ public RedirectContext(
         /// </summary>
         public void HandleResponse() => Handled = true;
     }
-}
\ No newline at end of file
+}
diff --git a/src/Security/Authentication/WsFederation/src/SecurityTokenReceivedContext.cs b/src/Security/Authentication/WsFederation/src/SecurityTokenReceivedContext.cs
index 311f41515fab..b84fbae403bc 100644
--- a/src/Security/Authentication/WsFederation/src/SecurityTokenReceivedContext.cs
+++ b/src/Security/Authentication/WsFederation/src/SecurityTokenReceivedContext.cs
@@ -23,6 +23,6 @@ public SecurityTokenReceivedContext(HttpContext context, AuthenticationScheme sc
         /// <summary>
         /// The <see cref="WsFederationMessage"/> received on this request.
         /// </summary>
-        public WsFederationMessage ProtocolMessage { get; set; }
+        public WsFederationMessage ProtocolMessage { get; set; } = default!;
     }
 }
diff --git a/src/Security/Authentication/WsFederation/src/SecurityTokenValidatedContext.cs b/src/Security/Authentication/WsFederation/src/SecurityTokenValidatedContext.cs
index 1f32014b6c63..7821ca775e85 100644
--- a/src/Security/Authentication/WsFederation/src/SecurityTokenValidatedContext.cs
+++ b/src/Security/Authentication/WsFederation/src/SecurityTokenValidatedContext.cs
@@ -24,11 +24,11 @@ public SecurityTokenValidatedContext(HttpContext context, AuthenticationScheme s
         /// <summary>
         /// The <see cref="WsFederationMessage"/> received on this request.
         /// </summary>
-        public WsFederationMessage ProtocolMessage { get; set; }
+        public WsFederationMessage ProtocolMessage { get; set; } = default!;
 
         /// <summary>
         /// The <see cref="SecurityToken"/> that was validated.
         /// </summary>
-        public SecurityToken SecurityToken { get; set; }
+        public SecurityToken? SecurityToken { get; set; }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Security/Authentication/WsFederation/src/WsFederationHandler.cs b/src/Security/Authentication/WsFederation/src/WsFederationHandler.cs
index cffa79dc81a8..851f19b335f6 100644
--- a/src/Security/Authentication/WsFederation/src/WsFederationHandler.cs
+++ b/src/Security/Authentication/WsFederation/src/WsFederationHandler.cs
@@ -21,7 +21,7 @@ namespace Microsoft.AspNetCore.Authentication.WsFederation
     public class WsFederationHandler : RemoteAuthenticationHandler<WsFederationOptions>, IAuthenticationSignOutHandler
     {
         private const string CorrelationProperty = ".xsrf";
-        private WsFederationConfiguration _configuration;
+        private WsFederationConfiguration? _configuration;
 
         /// <summary>
         /// Creates a new WsFederationAuthenticationHandler
@@ -138,8 +138,8 @@ protected override async Task HandleChallengeAsync(AuthenticationProperties prop
         /// <returns></returns>
         protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync()
         {
-            WsFederationMessage wsFederationMessage = null;
-            AuthenticationProperties properties = null;
+            WsFederationMessage? wsFederationMessage = null;
+            AuthenticationProperties? properties = null;
 
             // assumption: if the ContentType is "application/x-www-form-urlencoded" it should be safe to read as it is small.
             if (HttpMethods.IsPost(Request.Method)
@@ -195,10 +195,10 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
                     return messageReceivedContext.Result;
                 }
                 wsFederationMessage = messageReceivedContext.ProtocolMessage;
-                properties = messageReceivedContext.Properties; // Provides a new instance if not set.
+                properties = messageReceivedContext.Properties!; // Provides a new instance if not set.
 
                 // If state did flow from the challenge then validate it. See AllowUnsolicitedLogins above.
-                if (properties.Items.TryGetValue(CorrelationProperty, out string correlationId)
+                if (properties.Items.TryGetValue(CorrelationProperty, out string? correlationId)
                     && !ValidateCorrelationId(properties))
                 {
                     return HandleRequestResult.Fail("Correlation failed.", properties);
@@ -227,7 +227,7 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
                     return securityTokenReceivedContext.Result;
                 }
                 wsFederationMessage = securityTokenReceivedContext.ProtocolMessage;
-                properties = messageReceivedContext.Properties;
+                properties = messageReceivedContext.Properties!;
 
                 if (_configuration == null)
                 {
@@ -240,8 +240,8 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
                 tvp.ValidIssuers = (tvp.ValidIssuers == null ? issuers : tvp.ValidIssuers.Concat(issuers));
                 tvp.IssuerSigningKeys = (tvp.IssuerSigningKeys == null ? _configuration.SigningKeys : tvp.IssuerSigningKeys.Concat(_configuration.SigningKeys));
 
-                ClaimsPrincipal principal = null;
-                SecurityToken parsedToken = null;
+                ClaimsPrincipal? principal = null;
+                SecurityToken? parsedToken = null;
                 foreach (var validator in Options.SecurityTokenHandlers)
                 {
                     if (validator.CanReadToken(token))
@@ -285,7 +285,7 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
                 }
 
                 // Flow possible changes
-                principal = securityTokenValidatedContext.Principal;
+                principal = securityTokenValidatedContext.Principal!;
                 properties = securityTokenValidatedContext.Properties;
 
                 return HandleRequestResult.Success(new AuthenticationTicket(principal, properties, Scheme.Name));
@@ -319,7 +319,7 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
         /// Handles Signout
         /// </summary>
         /// <returns></returns>
-        public async virtual Task SignOutAsync(AuthenticationProperties properties)
+        public async virtual Task SignOutAsync(AuthenticationProperties? properties)
         {
             var target = ResolveTarget(Options.ForwardSignOut);
             if (target != null)
diff --git a/src/Security/Authentication/WsFederation/src/WsFederationOptions.cs b/src/Security/Authentication/WsFederation/src/WsFederationOptions.cs
index ae08389a94b1..65ccc40fb2e0 100644
--- a/src/Security/Authentication/WsFederation/src/WsFederationOptions.cs
+++ b/src/Security/Authentication/WsFederation/src/WsFederationOptions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -59,18 +59,18 @@ public override void Validate()
         /// Configuration provided directly by the developer. If provided, then MetadataAddress and the Backchannel properties
         /// will not be used. This information should not be updated during request processing.
         /// </summary>
-        public WsFederationConfiguration Configuration { get; set; }
+        public WsFederationConfiguration? Configuration { get; set; }
 
         /// <summary>
         /// Gets or sets the address to retrieve the wsFederation metadata
         /// </summary>
-        public string MetadataAddress { get; set; }
+        public string? MetadataAddress { get; set; }
 
         /// <summary>
         /// Responsible for retrieving, caching, and refreshing the configuration from metadata.
         /// If not provided, then one will be created using the MetadataAddress and Backchannel properties.
         /// </summary>
-        public IConfigurationManager<WsFederationConfiguration> ConfigurationManager { get; set; }
+        public IConfigurationManager<WsFederationConfiguration> ConfigurationManager { get; set; } = default!;
 
         /// <summary>
         /// Gets or sets if a metadata refresh should be attempted after a SecurityTokenSignatureKeyNotFoundException. This allows for automatic
@@ -113,7 +113,7 @@ public ICollection<ISecurityTokenValidator> SecurityTokenHandlers
         /// <summary>
         /// Gets or sets the type used to secure data handled by the middleware.
         /// </summary>
-        public ISecureDataFormat<AuthenticationProperties> StateDataFormat { get; set; }
+        public ISecureDataFormat<AuthenticationProperties> StateDataFormat { get; set; } = default!;
 
         /// <summary>
         /// Gets or sets the <see cref="TokenValidationParameters"/>
@@ -135,18 +135,18 @@ public TokenValidationParameters TokenValidationParameters
         /// Gets or sets the 'wreply'. CallbackPath must be set to match or cleared so it can be generated dynamically.
         /// This field is optional. If not set then it will be generated from the current request and the CallbackPath.
         /// </summary>
-        public string Wreply { get; set; }
+        public string? Wreply { get; set; }
 
         /// <summary>
         /// Gets or sets the 'wreply' value used during sign-out.
         /// If none is specified then the value from the Wreply field is used.
         /// </summary>
-        public string SignOutWreply { get; set; }
+        public string? SignOutWreply { get; set; }
         
         /// <summary>
         /// Gets or sets the 'wtrealm'.
         /// </summary>
-        public string Wtrealm { get; set; }
+        public string? Wtrealm { get; set; }
 
         /// <summary>
         /// Indicates that the authentication session lifetime (e.g. cookies) should match that of the authentication token.
@@ -176,7 +176,7 @@ public TokenValidationParameters TokenValidationParameters
         /// The Authentication Scheme to use with SignOutAsync from RemoteSignOutPath. SignInScheme will be used if this
         /// is not set.
         /// </summary>
-        public string SignOutScheme { get; set; }
+        public string? SignOutScheme { get; set; }
         
         /// <summary>
         /// SaveTokens is not supported in WsFederation
diff --git a/src/Security/Authentication/WsFederation/src/WsFederationPostConfigureOptions.cs b/src/Security/Authentication/WsFederation/src/WsFederationPostConfigureOptions.cs
index 62647d4fcd67..c0a63cc97005 100644
--- a/src/Security/Authentication/WsFederation/src/WsFederationPostConfigureOptions.cs
+++ b/src/Security/Authentication/WsFederation/src/WsFederationPostConfigureOptions.cs
@@ -44,7 +44,7 @@ public void PostConfigure(string name, WsFederationOptions options)
             if (options.StateDataFormat == null)
             {
                 var dataProtector = options.DataProtectionProvider.CreateProtector(
-                    typeof(WsFederationHandler).FullName, name, "v1");
+                    typeof(WsFederationHandler).FullName!, name, "v1");
                 options.StateDataFormat = new PropertiesDataFormat(dataProtector);
             }