From 03820b4fbac842b1c0092ce028cbde55e2772646 Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Wed, 7 May 2025 15:11:35 -0400
Subject: [PATCH 1/2] Add docs and remove TODO comments

---
 src/Identity/IdentityServer/DynamicClientStore.cs  |  3 +--
 .../IdentityServer/ServiceCollectionExtensions.cs  | 14 +++++++++++---
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/Identity/IdentityServer/DynamicClientStore.cs b/src/Identity/IdentityServer/DynamicClientStore.cs
index 997ff64d0b..b78a0ab4e5 100644
--- a/src/Identity/IdentityServer/DynamicClientStore.cs
+++ b/src/Identity/IdentityServer/DynamicClientStore.cs
@@ -46,8 +46,6 @@ internal class DynamicClientStore : IClientStore
             // Increment past the period
             var identifierName = clientIdSpan[..firstPeriod++];
 
-            // TODO: Validate some rules about the identifierName?
-
             var identifier = clientIdSpan[firstPeriod..];
 
             // The identifier is required to be non-empty
@@ -56,6 +54,7 @@ internal class DynamicClientStore : IClientStore
                 return Task.FromResult<Client?>(null);
             }
 
+            // Once identifierName is proven valid, materialize the string
             var clientBuilder = _serviceProvider.GetKeyedService<IClientProvider>(identifierName.ToString());
 
             if (clientBuilder == null)
diff --git a/src/Identity/IdentityServer/ServiceCollectionExtensions.cs b/src/Identity/IdentityServer/ServiceCollectionExtensions.cs
index fc97fb8e45..2402ebb7f9 100644
--- a/src/Identity/IdentityServer/ServiceCollectionExtensions.cs
+++ b/src/Identity/IdentityServer/ServiceCollectionExtensions.cs
@@ -4,15 +4,23 @@ namespace Microsoft.Extensions.DependencyInjection;
 
 public static class ServiceCollectionExtensions
 {
+    /// <summary>
+    /// Registers a custom <see cref="IClientProvider"/> for the given identifier to be called when a client id with
+    /// the identifier is attempting authentication.
+    /// </summary>
+    /// <typeparam name="T">Your custom implementation of <see cref="IClientProvider"/>.</typeparam>
+    /// <param name="services">The service collection to add services to.</param>
+    /// <param name="identifier">
+    /// The identifier to be used to invoke your client provider if a <c>client_id</c> is prefixed with your identifier
+    /// then your <see cref="IClientProvider"/> implementation will be invoked with the data after the seperating <c>.</c>.
+    /// </param>
+    /// <returns>The <see cref="IServiceCollection"/> for additional chaining.</returns>
     public static IServiceCollection AddClientProvider<T>(this IServiceCollection services, string identifier)
         where T : class, IClientProvider
     {
         ArgumentNullException.ThrowIfNull(services);
         ArgumentException.ThrowIfNullOrWhiteSpace(identifier);
 
-        // TODO: Track name so that if they register the same one twice it's an error?
-
-        // TODO: We could allow customization of service lifetime
         services.AddKeyedTransient<IClientProvider, T>(identifier);
 
         return services;

From 78a9471dac7bc380e7e71f0356bd67a73b58f969 Mon Sep 17 00:00:00 2001
From: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Date: Tue, 13 May 2025 12:47:21 -0400
Subject: [PATCH 2/2] Use preferred prefix for API keys

---
 .../ClientProviders/SecretsManagerApiKeyProvider.cs            | 2 ++
 src/Identity/IdentityServer/DynamicClientStore.cs              | 3 ++-
 src/Identity/Utilities/ServiceCollectionExtensions.cs          | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/Identity/IdentityServer/ClientProviders/SecretsManagerApiKeyProvider.cs b/src/Identity/IdentityServer/ClientProviders/SecretsManagerApiKeyProvider.cs
index 045b1a1c09..dec5f8dc64 100644
--- a/src/Identity/IdentityServer/ClientProviders/SecretsManagerApiKeyProvider.cs
+++ b/src/Identity/IdentityServer/ClientProviders/SecretsManagerApiKeyProvider.cs
@@ -9,6 +9,8 @@ namespace Bit.Identity.IdentityServer.ClientProviders;
 
 internal class SecretsManagerApiKeyProvider : IClientProvider
 {
+    public const string ApiKeyPrefix = "apikey";
+
     private readonly IApiKeyRepository _apiKeyRepository;
     private readonly IOrganizationRepository _organizationRepository;
 
diff --git a/src/Identity/IdentityServer/DynamicClientStore.cs b/src/Identity/IdentityServer/DynamicClientStore.cs
index b78a0ab4e5..9d7764bf42 100644
--- a/src/Identity/IdentityServer/DynamicClientStore.cs
+++ b/src/Identity/IdentityServer/DynamicClientStore.cs
@@ -1,5 +1,6 @@
 #nullable enable
 
+using Bit.Identity.IdentityServer.ClientProviders;
 using Duende.IdentityServer.Models;
 using Duende.IdentityServer.Stores;
 
@@ -18,7 +19,7 @@ internal class DynamicClientStore : IClientStore
 
     public DynamicClientStore(
       IServiceProvider serviceProvider,
-      [FromKeyedServices("sm-apikey")] IClientProvider apiKeyClientProvider,
+      [FromKeyedServices(SecretsManagerApiKeyProvider.ApiKeyPrefix)] IClientProvider apiKeyClientProvider,
       StaticClientStore staticClientStore
     )
     {
diff --git a/src/Identity/Utilities/ServiceCollectionExtensions.cs b/src/Identity/Utilities/ServiceCollectionExtensions.cs
index 01a3edf3ce..5effacc92d 100644
--- a/src/Identity/Utilities/ServiceCollectionExtensions.cs
+++ b/src/Identity/Utilities/ServiceCollectionExtensions.cs
@@ -69,7 +69,7 @@ public static class ServiceCollectionExtensions
 
         services.AddClientProvider<UserClientProvider>("user");
         services.AddClientProvider<OrganizationClientProvider>("organization");
-        services.AddClientProvider<SecretsManagerApiKeyProvider>("sm-apikey");
+        services.AddClientProvider<SecretsManagerApiKeyProvider>(SecretsManagerApiKeyProvider.ApiKeyPrefix);
 
         if (CoreHelpers.SettingHasValue(globalSettings.IdentityServer.CosmosConnectionString))
         {