I’m trying to implement a custom grant type with IdentityServer but im lost.
I have multiple applications that are already logged in an other IdentityServer with PKCE and it needs to access multiple APIs protected by an other one. How can I make it work ? Shall I implement a IExtensionGrantValidator and register IdentyServer signing keys in the one protecting the APIs ?
Sharing the keys between the IdentityServer instances would allow you to use tokens from an issuer in APIs that require tokens from another issuer.
In fact, you don't even need to share the signing keys, you can use different signing keys and add the signing key of one instance as a validation key to another.
Then when APIs want to validate a token in the backend, they will fetch the openid configuration from the OIDC provider (IdentityServer) and validate the JWT signature using the keys broadcasted by the server.
To illustrate, IdS demo app defines a single key
https://demo.identityserver.io/.well-known/openid-configuration/jwks. When you add multiple validation keys using AddValidationKey, you'll see all those keys in .../jwks metadata. Then the app will use all those tokens for validation.
// in instance A
services.AddIdentityServer()
.AddSigningCredential("CN=signing key for instance A")
.AddValidationKey("CN=signing key for instance B")
// in instance B
services.AddIdentityServer()
.AddSigningCredential("CN=signing key for instance B")
.AddValidationKey("CN=signing key for instance A")