Perform Token Exchange with second Identity Server

[stefan-hofbauer-programmierfabrik-at]

Which version of Duende IdentityServer are you using?
7.0.8

Which version of .NET are you using?
8.0.405

Describe

We have two independent Identity Servers which are responsible for a different set of services.
Now we have the Use Case that a service of Identity Server A wants to access a Service from Identity Server B.
To solve our problem, we want to use the OpenID Connect Token Exchange which for use would be the best way to advice the goa

We implemented the Token Exchange in Identity Server B and can now successfully Exchange Tokens to get different Scopes for the authenticated user. For the setup we followed the documentation on the website.
The problem we have now, is that we only can exchange tokens which are issued from this Identity Server and we found no option to also allow the second issuer.

Through the source code, we found out that in the TokenValidator it is defined that only the current Identity Server is a ValidIssuer but the class TokenValidationParameters gives the option to set a list of issuer with the property ValidIssuers.

TokenValidator Line 281:
var parameters = new TokenValidationParameters { ValidIssuer = await _issuerNameService.GetCurrentAsync(), IssuerSigningKeys = validationKeys.Select(k => k.Key), ValidateLifetime = validateLifetime };

Expected behavior
Configure the trust between this to Identity Servers to be able to exchange the token from Identity Server A with a new token from Identity Server B.

Question
Our question is now if overriding the Token Validator Class is the way to solve our problem or there is another better way in Identity Server we could use?

[maartenba]

(note: we're moving this issue to our new community discussions)

[RolandGuijt]

The token validator class is meant to only accept tokens managed by the instance itself.
The right place to do this is in the TokenExchangeGrantValidator. Please check this doc for details and let us know if this answer helped.

[stefan-hofbauer-programmierfabrik-at]

If I understand this correctly, we have to implement our own TokenValidator which implements the ITokenValidator interface and has a configurable list of trusted issuers, so we can use it in the TokenExchangeGrantValidator.