Consider custom reuse of DefaultTokenValidator

[AndersAbel]

The DefaultTokenValidator class is internal and not possible to derive from. It is also not designed to be extensible/adapted.

When implementing token exchange it would be useful in some scenarios to be able to reuse and customize the token validator logic. One example is a multi tenanted setup with issuer-per-tenant where token exchange is used. It is possible to implement that as a custom validator, but it would essentially just be a copy of our token validator with a custom issuer validation step.

We should consider if the DefaultTokenValidator class should be opened up to allow deriving. That would also include redesigning the class to make it easier for a derived class to alter behaviour through overrides.

[josephdecock]

Note that replacing the token validator in DI is not part of this - and we don't want to encourage it. This is only to allow for using the validator code in other contexts and extending it (specifically token exchange).

We would though want to refactor the logic into a series of methods that can individually be overridden.