DuendeSoftware / IdentityServer

The most flexible and standards-compliant OpenID Connect and OAuth 2.x framework for ASP.NET Core
https://duendesoftware.com/products/identityserver
Other
1.49k stars 344 forks source link

Consider custom reuse of DefaultTokenValidator #1579

Open AndersAbel opened 4 months ago

AndersAbel commented 4 months ago

The DefaultTokenValidator class is internal and not possible to derive from. It is also not designed to be extensible/adapted.

When implementing token exchange it would be useful in some scenarios to be able to reuse and customize the token validator logic. One example is a multi tenanted setup with issuer-per-tenant where token exchange is used. It is possible to implement that as a custom validator, but it would essentially just be a copy of our token validator with a custom issuer validation step.

We should consider if the DefaultTokenValidator class should be opened up to allow deriving. That would also include redesigning the class to make it easier for a derived class to alter behaviour through overrides.

josephdecock commented 1 week ago

Note that replacing the token validator in DI is not part of this - and we don't want to encourage it. This is only to allow for using the validator code in other contexts and extending it (specifically token exchange).

We would though want to refactor the logic into a series of methods that can individually be overridden.