internal static OAuthBearerAuthenticationOptions ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory)
        {
            var discoveryEndpoint = options.Authority.EnsureTrailingSlash();
            discoveryEndpoint += ".well-known/openid-configuration";

            var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider(
                discoveryEndpoint,
                options,
                loggerFactory);

            var valParams = new TokenValidationParameters
            {
                ValidAudience = issuerProvider.Audience,
                NameClaimType = options.NameClaimType,
                RoleClaimType = options.RoleClaimType
            };

            var tokenFormat = new JwtFormat(valParams, issuerProvider);

            var bearerOptions = new OAuthBearerAuthenticationOptions
            {
                AccessTokenFormat = tokenFormat,
                AuthenticationMode = options.AuthenticationMode,
                AuthenticationType = options.AuthenticationType,
                Provider = options.TokenProvider ?? new ContextTokenProvider(),
            };

            return bearerOptions;
        }
        internal static OAuthBearerAuthenticationOptions ConfigureLocalValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory)
        {
            JwtFormat tokenFormat = null;

            // use static configuration
            if (!string.IsNullOrWhiteSpace(options.IssuerName) &&
                options.SigningCertificate != null)
            {
                var audience = options.IssuerName.EnsureTrailingSlash();
                audience += "resources";

                var valParams = new TokenValidationParameters
                { 
                    ValidIssuer = options.IssuerName,
                    ValidAudience = audience,
                    IssuerSigningToken = new X509SecurityToken(options.SigningCertificate),

                    NameClaimType = options.NameClaimType,
                    RoleClaimType = options.RoleClaimType,
                };

                tokenFormat = new JwtFormat(valParams);
            }
            else
            {
                // use discovery endpoint
                if (string.IsNullOrWhiteSpace(options.Authority))
                {
                    throw new Exception("Either set IssuerName and SigningCertificate - or Authority");
                }

                var discoveryEndpoint = options.Authority.EnsureTrailingSlash();
                discoveryEndpoint += ".well-known/openid-configuration";

                var issuerProvider = new DiscoveryDocumentIssuerSecurityTokenProvider(
                    discoveryEndpoint,
                    options,
                    loggerFactory);

                var valParams = new TokenValidationParameters
                {
                    ValidAudience = issuerProvider.Audience,
                    NameClaimType = options.NameClaimType,
                    RoleClaimType = options.RoleClaimType
                };

                tokenFormat = new JwtFormat(valParams, issuerProvider);
            }
            

            var bearerOptions = new OAuthBearerAuthenticationOptions
            {
                AccessTokenFormat = tokenFormat,
                AuthenticationMode = options.AuthenticationMode,
                AuthenticationType = options.AuthenticationType,
                Provider = new ContextTokenProvider()
            };

            if (options.TokenProvider != null)
            {
                bearerOptions.Provider = options.TokenProvider;
            }

            return bearerOptions;
        }