What is TokenValidationParameters.ValidIssuer of OpenIdConnectOptions meant for?

[eloekset]

I've been investigating an application that has problems validating the token that we get from an external provider.

I would expect the token to be invalid if I set ValidIssuer to some obviously invalid value like "foobar" and set ValidateIssuer to true, but it's still considered a valid token.

If I add a custom validator to IssuerValidator, I can see that the property ValidIssuers (ending on an s) has been populated with the valid value from the STS when validation runs. That means, no matter what value I set as ValidIssuer, the token will always be valid. Isn't that a very strange behavior?

I can't share the project, but this is the code of interest:

.AddOpenIdConnect(options =>
    {
        options.ClientId = clientId;
        options.ClientSecret = Configuration["OidcSettings:ClientSecret"];
        options.CallbackPath = new PathString("/signin-oidc");
        options.Authority = authority;
        options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        options.RequireHttpsMetadata = true;
        options.GetClaimsFromUserInfoEndpoint = true;
        options.ResponseType = OpenIdConnectResponseType.Code;
        options.SaveTokens = true;
        options.Scope.Clear();
        options.Scope.Add("openid");
        options.Scope.Add("profile");
        options.Scope.Add("helseid://scopes/hpr/hpr_number");
        options.Scope.Add("helseid://scopes/identity/pid");
        options.Scope.Add("helseid://scopes/identity/security_level");
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidateLifetime = true,
            ValidateIssuerSigningKey = true,
            ValidIssuer = authority + "_validationError", // done by purpose to fail validation
            IssuerValidator = CustomValidateIssuer,
            ValidAudiences = new[] { clientId },
            AudienceValidator = CustomValidateAudience,
            NameClaimType = "name",

            IssuerSigningKeys = Task.Run(
                async () => {
                    IConfigurationManager<OpenIdConnectConfiguration> configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>($"{authority}.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
                    var config = await configurationManager.GetConfigurationAsync(CancellationToken.None);
                    return config.SigningKeys;
                }).ConfigureAwait(false).GetAwaiter().GetResult()
        };
    }

(...)

private static string CustomValidateIssuer(string issuer, SecurityToken token, TokenValidationParameters parameters)
{
    if (token is JwtSecurityToken jwt)
    {
        if (jwt.Payload.TryGetValue("iss", out var value) && value is string tokenTenantId)
        {
            var _validIssuers = (parameters.ValidIssuers ?? Enumerable.Empty<string>())
                .Append(parameters.ValidIssuer)
                .Where(i => !string.IsNullOrEmpty(i));

            if (_validIssuers.Any(i => i == issuer))
                return issuer;
        }
    }

    // Recreate the exception that is thrown by default
    // when issuer validation fails
    var validIssuer = parameters.ValidIssuer ?? "null";
    var validIssuers = parameters.ValidIssuers == null
        ? "null"
        : !parameters.ValidIssuers.Any()
            ? "empty"
            : string.Join(", ", parameters.ValidIssuers);
    string errorMessage = FormattableString.Invariant(
        $"IDX10205: Issuer validation failed. Issuer: '{issuer}'. Did not match: validationParameters.ValidIssuer: '{validIssuer}' or validationParameters.ValidIssuers: '{validIssuers}'.");

    throw new SecurityTokenInvalidIssuerException(errorMessage)
    {
        InvalidIssuer = issuer
    };
}

This is a screenshot of a debug session that shows the current values of TokenValidationParameters.ValidIssuer and ValidIssuers passed to the custom validation method: