Expected behavour If the user logged in via your SPA web app, and the app uses grant_type=code it is expected that only "ProfileDataRequestContext" service would get executed. However it also executes ICustomTokenRequestValidator service, why is that? am I doing something wrong?
public class ProfileService : IProfileService
{
//this should be executed only when grant_type=code
}
-
public class CustomTokenRequestValidatorService : ICustomTokenRequestValidator
{
//this should only be executed when grant_type=clientcredentials (however it always gets executed at all times)
}
If you look into the flow, described by the spec, you could see that code flow consists of at least two calls to Authorization Server, and the second one is the call to Token Endpoint, triggering the TokenRequestValidator invocation, as well as each call to the AuthorizationEndpoint triggers the AuthorizeRequestValidator correspondingly.
For SPA and native apps that does not matter, but for MVC apps the context of the calls to Authorization and Token endpoints differs a lot: the first one is performed in the context of the browser, so contains some browser-specific headers, such as locale, when the second one is a server-to-server (back channel) call.
Regarding your sub-question about IProfileService invocation: that takes place each time the token or response contains UserClaims. When you request id_token, access_token and then retrieve some additional data from UserInfo endpoint, your IProfileService might be called three times.