Kaliumhexacyanoferrat · Kaliumhexacyanoferrat · Dec 30, 2025 · Dec 30, 2025
diff --git a/Modules/Authentication/Bearer/BearerAuthenticationConcern.cs b/Modules/Authentication/Bearer/BearerAuthenticationConcern.cs
@@ -1,8 +1,10 @@
 using System.IdentityModel.Tokens.Jwt;
 using System.Text.Json;
 using System.Text.Json.Serialization;
+
 using GenHTTP.Api.Content;
 using GenHTTP.Api.Protocol;
+
 using Microsoft.IdentityModel.Logging;
 using Microsoft.IdentityModel.Tokens;
 
@@ -75,7 +77,16 @@ internal BearerAuthenticationConcern(IHandler content, TokenValidationOptions va
 
         if (issuer != null && _issuerKeys == null)
         {
-            _issuerKeys = await FetchSigningKeys(issuer);
+            if (ValidationOptions.CustomKeyResolver != null)
+            {
+                var unvalidatedToken = tokenHandler.ReadJwtToken(tokenString);
+
+                _issuerKeys = await ValidationOptions.CustomKeyResolver(unvalidatedToken);
+            }
+            else
+            {
+                _issuerKeys = await FetchSigningKeysAsync(issuer);
+            }
         }
 
         var validationParameters = new TokenValidationParameters
@@ -122,7 +133,7 @@ internal BearerAuthenticationConcern(IHandler content, TokenValidationOptions va
         }
     }
 
-    private static async Task<ICollection<SecurityKey>> FetchSigningKeys(string issuer)
+    private static async ValueTask<ICollection<SecurityKey>> FetchSigningKeysAsync(string issuer)
     {
         try
         {

diff --git a/Modules/Authentication/Bearer/BearerAuthenticationConcernBuilder.cs b/Modules/Authentication/Bearer/BearerAuthenticationConcernBuilder.cs
@@ -2,6 +2,7 @@
 using GenHTTP.Api.Content;
 using GenHTTP.Api.Content.Authentication;
 using GenHTTP.Api.Protocol;
+using Microsoft.IdentityModel.Tokens;
 
 namespace GenHTTP.Modules.Authentication.Bearer;
 
@@ -53,6 +54,18 @@ public BearerAuthenticationConcernBuilder Validation(Func<JwtSecurityToken, Task
         _options.CustomValidator = validator;
         return this;
     }
+
+    /// <summary>
+    /// Adds a custom logic to fetch the signing keys. By default, the keys will be
+    /// downloaded from the URL returned by the .well-known information returned by
+    /// the issuer.
+    /// </summary>
+    /// <param name="keyResolver">The logic used to resolve the signing keys for a given incoming token</param>
+    public BearerAuthenticationConcernBuilder KeyResolver(Func<JwtSecurityToken, ValueTask<ICollection<SecurityKey>>> keyResolver)
+    {
+        _options.CustomKeyResolver = keyResolver;
+        return this;
+    }
 
     /// <summary>
     /// Optionally register a function that will compute the user that

diff --git a/Modules/Authentication/Bearer/TokenValidationOptions.cs b/Modules/Authentication/Bearer/TokenValidationOptions.cs
@@ -1,7 +1,10 @@
 using System.IdentityModel.Tokens.Jwt;
+
 using GenHTTP.Api.Content.Authentication;
 using GenHTTP.Api.Protocol;
 
+using Microsoft.IdentityModel.Tokens;
+
 namespace GenHTTP.Modules.Authentication.Bearer;
 
 internal sealed class TokenValidationOptions
@@ -16,4 +19,7 @@ internal sealed class TokenValidationOptions
     internal Func<JwtSecurityToken, Task>? CustomValidator { get; set; }
 
     internal Func<IRequest, JwtSecurityToken, ValueTask<IUser?>>? UserMapping { get; set; }
+
+    internal Func<JwtSecurityToken, ValueTask<ICollection<SecurityKey>>>? CustomKeyResolver { get; set; }
+
 }
diff --git a/Testing/Acceptance/Modules/Authentication/BearerAuthenticationTests.cs b/Testing/Acceptance/Modules/Authentication/BearerAuthenticationTests.cs
@@ -40,6 +40,20 @@ public async Task TestCustomValidator(TestEngine engine)
 
         await response.AssertStatusAsync(HttpStatusCode.Forbidden);
     }
+
+    [TestMethod]
+    [MultiEngineTest]
+    public async Task TestCustomKeyResolver(TestEngine engine)
+    {
+        var auth = BearerAuthentication.Create()
+                                       .Issuer("https://facebook.com")
+                                       .KeyResolver(_ => throw new ProviderException(ResponseStatus.Forbidden, "Nah"))
+                                       .AllowExpired();
+
+        using var response = await Execute(auth, engine, ValidToken);
+
+        await response.AssertStatusAsync(HttpStatusCode.Forbidden);
+    }
 
     [TestMethod]
     [MultiEngineTest]