I have IdentityServer v3 with ResourceOwner flow and I need to configure it to be able authorize users from AspNetIdentityUserStore (1st UserService) and users from ActiveDirectory (2d UserService) from the one endpoint.
The first trivial decision is to make custom UserService, which will compose 1st and 2d user service and encapsulate logic, but I'd like to know is it ok, to choose the behavior of registered UserService depending on current client?
Or there are any different approaches which solve the problem better?
Splitting your UserService based on the Client may seem like a good idea, but introducing this Client bias will cause many problems. It will cause much confusion for your userbase, as valid credentials may not work on the same login page for another Client. It also makes the identity provider more difficult to deal with in the future, as whenever another Client is added user authentication will have to be revised.
For the purposes of authentication, you will have a better time, both now and in the future, having the identity provider's UserService act without knowledge of the Client. The burden should be on the Client to determine if the user principal provided by the identity server has adequate authorization.