TokenRequestValidator customization

[evansjustind]

Hello,

We have a specific use case where it would be of great benefit to be able to modify aspects of the TokenRequestValidator. I was curious whether it was at all possible to request for a way to accomplish this. Currently, the methods on this class are mostly internal.

Here's a brief explanation of our use case. We have clients that are used to perform system to system requests but have a type of "internal user" attached to them to add a user context. The main issue we run into currently with this approach is that OpenID scopes are not allowed to be requested as part of the client_credentials client validation. As we have a concept of a "service user" and use this for certain specific requests, it would be beneficial to us to be able to get user information for these service users in specific scenarios.

We would like a way to either customize the TokenRequestValidator specifically to avoid the invalid_scope 400 error when requesting OpenID scopes with a client_credentials grant type on a client.

[RolandGuijt]

Client credentials flow is designed for pure machine to machine communication without a user being involved.
Also, since token validation is so essential for the protocol we chose a closed architecture for TokenRequestValidator.

In your case I would recommend an approach where the access token is retrieved as normal and then used on a separate "user" API (with a separate scope). It can then return the user details given the user id in the request.
There's also the possibility to add such an endpoint to your IdentityServer instance if that is more convenient. Please find some documentation here.