Early Preview
This is currently very much a preview. Please feel free to try things out,
but don't be upset if anything is not yet working. Feedback is welcome over on our
GitHub Dicussions page.
interface Duende.IdentityServer.Validation.ICustomTokenValidator
Assembly: Duende.IdentityServer
Allows inserting custom validation logic into the access token and identity token validation pipelines.
Remarks
Implement this interface to run additional checks after IdentityServer has completed its
built-in token validation (signature, expiry, issuer, audience, etc.). Both
<see cref="M:Duende.IdentityServer.Validation.ICustomTokenValidator.ValidateAccessTokenAsync(Duende.IdentityServer.Validation.TokenValidationResult,System.Threading.CancellationToken)" /> and <see cref="M:Duende.IdentityServer.Validation.ICustomTokenValidator.ValidateIdentityTokenAsync(Duende.IdentityServer.Validation.TokenValidationResult,System.Threading.CancellationToken)" /> receive
the result of the preceding built-in validation and may inspect, enrich, or override it.
<para>
These methods are invoked at the introspection endpoint, the userinfo endpoint, and anywhere
else IdentityServer validates tokens internally (e.g., during token exchange or logout).
</para> <para>
To fail validation, set <c>IsError</c> and <c>Error</c> on the returned
<see cref="T:Duende.IdentityServer.Validation.TokenValidationResult" />. To add claims or modify the result, update the
<c>Claims</c> collection or other properties before returning.
</para> <para>
Register implementations using <c>AddCustomTokenValidator<T>()</c> on the
IdentityServer builder. Multiple implementations may be registered and are all invoked in order.
</para>
Methods
ValidateAccessTokenAsync(TokenValidationResult result,
System.Threading.CancellationToken ct)
Executes custom validation logic for an access token after built-in validation has completed.
Returns A <see cref="T:Duende.IdentityServer.Validation.TokenValidationResult" /> representing the final validation outcome.
Set <c>IsError</c> to <c>true</c> to reject the token.
result
The <see cref="T:Duende.IdentityServer.Validation.TokenValidationResult" /> produced by the preceding built-in validation steps.
Inspect this to determine whether validation already failed, and return a modified or
replacement result as appropriate.
ct
The cancellation token.
ValidateIdentityTokenAsync(TokenValidationResult result,
System.Threading.CancellationToken ct)
Executes custom validation logic for an identity token after built-in validation has completed.
Returns A <see cref="T:Duende.IdentityServer.Validation.TokenValidationResult" /> representing the final validation outcome.
Set <c>IsError</c> to <c>true</c> to reject the token.
result
The <see cref="T:Duende.IdentityServer.Validation.TokenValidationResult" /> produced by the preceding built-in validation steps.
Inspect this to determine whether validation already failed, and return a modified or
replacement result as appropriate.
ct
The cancellation token.