/// <summary>
 /// Called when a request to the Token endpoint arrives with a "grant_type" of "client_credentials". This occurs when a registered client
 /// application wishes to acquire an "access_token" to interact with protected resources on it's own behalf, rather than on behalf of an authenticated user. 
 /// If the web application supports the client credentials it may assume the context.ClientId has been validated by the ValidateClientAuthentication call.
 /// To issue an access token the context.Validated must be called with a new ticket containing the claims about the client application which should be associated
 /// with the access token. The application should take appropriate measures to ensure that the endpoint isn't abused by malicious callers.
 /// The default behavior is to reject this grant type.
 /// See also http://tools.ietf.org/html/rfc6749#section-4.4.2
 /// </summary>
 /// <param name="context">The context of the event carries information in and results out.</param>
 /// <returns>Task to enable asynchronous execution</returns>
 public virtual Task GrantClientCredentials(OpenIdConnectGrantClientCredentialsContext context)
 {
     return OnGrantClientCredentials.Invoke(context);
 }
        private Task GrantClientCredentials(OpenIdConnectGrantClientCredentialsContext context)
        {
            // there is no identity for ClientCredentials only, so create one based on clientid

            var identity = new ClaimsIdentity(new GenericIdentity(
               context.ClientId, OpenIdConnectDefaults.AuthenticationType),
               context.Scope.Select(x => new Claim("urn:oauth:scope", x))
               );

            // it must have subject claim for openid, it can be ClaimTypes.NameIdentifier
            // or JwtRegisteredClaimNames.Sub
            identity.AddClaim(new Claim(ClaimTypes.NameIdentifier,context.ClientId));

            context.Validated(identity);

            return Task.FromResult(0);
        }