leastprivilege
commented
7 years ago As the name implies - this middleware is for resources protected by IdentityServer and not custom OAuth servers.
That said - you can set the authority to the base address or the full path. Adding custom headers is doable via a back-channel handler.
oscarwest
We are trying to use IdentityServer4.AccessTokenValidation to do introspection against a custom OAuth 2.0 STS(Not IdentityServer) but there seems to be limited configuration options.
Is it possible to configure the middleware with a custom discovery endpoint? /oauth/v2/.well-known/openid-configuration
UseJwtBearerAuthentication supports this with the "MetadataAddress" property.
Also, our STS currently has a bug and needs an Accept header set to "application/json" to return the document openid-configuration, is this possible?
Would this be possible with another middleware, openidconnect or jwt? To my knowledge neither of these middlewares support introspection out of the box.
/ Oscar