Make JwtBearerService public with virtual methods for extensibility

[Copilot]

JwtBearerService was internal, preventing subclassing for custom JWT configurations or overriding default behavior.

• Class visibility changed from internal to public
• All public methods (CreateTokenAsync, ValidateTokenAsync, RefreshTokenAsync) marked virtual
• jwtBearerSettings changed from a private field to a protected read-only property (JwtBearerSettings) for subclass access
• Added XML documentation for newly public API surface

public class CustomJwtService : JwtBearerService
{
    public CustomJwtService(IOptions<JwtBearerSettings> options) : base(options) { }

    public override async Task<ClaimsPrincipal> ValidateTokenAsync(string token, bool validateLifetime = true)
    {
        // Custom validation logic
        var principal = await base.ValidateTokenAsync(token, validateLifetime);
        // Additional checks...
        return principal;
    }
}

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Make JwtBearerService public and its methods virtual for extensibility</issue_title>
<issue_description>## Feature Request

Please make the JwtBearerService class public. This would allow developers to create multiple wrappers with different configurations, enabling greater flexibility (for example, instantiating it as a KeyService).

Additionally, make all public methods of JwtBearerService virtual so they can be overridden. This will improve extensibility and allow advanced users to customize the authentication logic as needed.

Rationale:

• Public visibility allows users to instantiate JwtBearerService as needed in various scenarios.
• Virtual methods facilitate extension and customization without changes to the core package.

Example Use Cases:

• Creating different services for distinct JWT configurations
• Overriding default behavior for custom key validation

---

If this change is acceptable, please outline any potential impacts on the public API and document the new usage pattern.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Make JwtBearerService public and its methods virtual for extensibility #190

---

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

[Copilot]

Pull request overview

Exposes JwtBearerService as a public, extensible implementation of IJwtBearerService so consumers can subclass it to customize JWT creation/validation behavior.

Changes:

• Changed JwtBearerService visibility from internal to public.
• Marked CreateTokenAsync, ValidateTokenAsync, and RefreshTokenAsync as virtual for overriding.
• Replaced the private settings field with a protected JwtBearerSettings property and added XML docs for the newly-public surface.

---

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Since this type is now part of the public API surface, the primary-constructor parameter should be validated. As written, passing a null IOptions will result in a NullReferenceException when initializing JwtBearerSettings; prefer throwing ArgumentNullException (and optionally validate jwtBearerSettingsOptions.Value as well) to fail fast with a clearer error.

Suggested change

	protected JwtBearerSettings JwtBearerSettings { get; } = jwtBearerSettingsOptions.Value;
	protected JwtBearerSettings JwtBearerSettings { get; } =
	jwtBearerSettingsOptions is null
	? throw new ArgumentNullException(nameof(jwtBearerSettingsOptions))
	: jwtBearerSettingsOptions.Value;

[Copilot]

CreateTokenAsync does not enforce the interface contract that absoluteExpiration must be >= DateTime.UtcNow (see IJwtBearerService XML docs). If a past absoluteExpiration is provided, the method will mint an already-expired token rather than throwing ArgumentException as documented.