The Project
This article uses IdentityServer4 enriched with ASP.NET Identity to get access to UserManager and SignInManager. The binding between the two is provided by the IdentityServer4.AspIdentity NuGet package, which registers:
ProfileServiceUserClaimsFactoryResourceOwnerPasswordValidatorSecurityStampValidator
A custom Mongo-based UserStore is used. The goal: allow users to log in with their email, username, or confirmed phone number. AddComXIdentity() registers IdentityCore, SignInManager, default token providers, and the user store.

The Problem
The token request passes an email as the username field. The built-in ResourceOwnerPasswordValidator in IdentityServer4.AspNetIdentity only receives a username and password — it doesn't support lookup by email or phone.


The validator is invoked from TokenRequestValidator:

The Solution
The trick is to use a decorator — the same pattern used internally by IdentityServer4.AspNetIdentity. The decorator wraps the existing validator and adds the extra lookup logic. The ClaimsFactory pattern in the library provides a good example to follow:

The custom validator attempts lookup by username first, then falls back to email and confirmed phone number:

Your user store must implement IQueryableUserStore to enable searching by properties other than the default username.
