Duende.IdentityServer.Hosting.DynamicProviders.OidcConfigureOptions is not having public access modifier

[eduardsocea]

IdentityServer version

7.0.8

.NET version

8

Description

I have some custom use cases where I want to extend the OidcConfigureOptions with some properties I define in my storage. As an example, I want to define the full url of MetadataAddress, since the provider I want to integrate doesn't expose the openid-configuration at standard path /well-known/openid-configuration.

Class definition: class OidcConfigureOptions : ConfigureAuthenticationOptions<OpenIdConnectOptions, OidcProvider>
By having this class definition, OidcConfigureOptions is by default internal. Therefore I cannot inherit the class in order to extend the behavior.

Current use case of extensibility:

1. Duplicate the OidcConfigureOptions in my solution - it will work, but it's not maintainable.
2. Implement an IPostConfigureOptions in which I can add update the properties as I want. However this means that I need one more round trip to the storage (when no cache is implemented), or I have to manually resolve the DynamicAuthentncationSchemeCache.

Trade-off: IPostConfigureOptions will run also for OpenIdConnect providers which are configured from app settings (the standard way with AddOpenIdConnect()`. This means that additional execution will be done for no reason.

Trade-off2: By default, the configuration of Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectPostConfigureOptions is performed when I do AddIdentityServer(). This PostConfigureOptions is in charge of configuring the MetadataAddress as part of the options. If I am to create my CustomPostConfigureOptions, I will need to register it before AddIdentityServer() which is not something I would expect to do.
3. Decorator implementation of OidcConfigureOptions.

Trade-off: For this approach, I will have to duplicate some logic from Duende.IdentityServer.Hosting.DynamicProviders.ConfigureAuthenticationOptions<,> and this logic will be executed 2 times.

Reproduction steps

No response

Expected behavior

From my point of view, the class Duende.IdentityServer.Hosting.DynamicProviders.OidcConfigureOptions should be public, as it will provide better extensibility for the current design.
Is there any reason why this class is not having public access modifier?

Logs

No response

Additional context

No response

[RolandGuijt]

@AndersAbel

[AndersAbel]

The configuration system is meant to be composable. It first runs all ConfigureOptions and then all PostConfigureOptions. Since it's easy to add more configure services on top of each other, there are other alternatives than to make the OidcConfigureOptions class public. Making the class public would unfortunately not only be a matter of switching to public. It would also require us to review the class and see if the current single large method in there should be split into multiple methods to allow more granular overrides.

My recommendation would be to do a variant of your suggestion #2, implement your own class that derives from ConfigureAuthenticationOptions<OpenIdConnectOptions, OidcProvider> and register it with DI. The base class will handle the plumbing of resolving/interacting with the cache and you can override the abstract Configure(ConfigureAuthenticationContext<OpenIdConnectOptions, OidcProvider> context) method to do the actual configuration.