Mark most of the infrastructure types as sealed

gen/OpenIddict.Client.WebIntegration.Generators/OpenIddictClientWebIntegrationGenerator.cs

@@ -8,7 +8,7 @@ using Scriban;
 namespace OpenIddict.Client.WebIntegration.Generators
 {
     [Generator]
-    public class OpenIddictClientWebIntegrationGenerator : ISourceGenerator
+    public sealed class OpenIddictClientWebIntegrationGenerator : ISourceGenerator
     {
         public void Execute(GeneratorExecutionContext context)
         {
@@ -58,7 +58,7 @@ using static OpenIddict.Client.WebIntegration.OpenIddictClientWebIntegrationCons
 
 namespace Microsoft.Extensions.DependencyInjection;
 
-public partial class OpenIddictClientWebIntegrationBuilder
+public sealed partial class OpenIddictClientWebIntegrationBuilder
 {
     {{~ for provider in providers ~}}
     /// <summary>
@@ -109,7 +109,7 @@ public partial class OpenIddictClientWebIntegrationBuilder
     /// <summary>
     /// Exposes the necessary methods required to configure the {{ provider.name }} integration.
     /// </summary>
-    public partial class {{ provider.name }}
+    public sealed partial class {{ provider.name }}
     {
         /// <summary>
         /// Initializes a new instance of <see cref=""OpenIddictClientWebIntegrationBuilder.{{ provider.name }}""/>.
@@ -433,14 +433,14 @@ using static OpenIddict.Client.WebIntegration.OpenIddictClientWebIntegrationCons
 
 namespace OpenIddict.Client.WebIntegration;
 
-public partial class OpenIddictClientWebIntegrationConfiguration
+public sealed partial class OpenIddictClientWebIntegrationConfiguration
 {
     {{~ for provider in providers ~}}
     /// <summary>
     /// Contains the methods required to register the {{ provider.name }} integration in the OpenIddict client options.
     /// </summary>
-    public class {{ provider.name }} : IConfigureOptions<OpenIddictClientOptions>,
-                                       IPostConfigureOptions<OpenIddictClientWebIntegrationOptions.{{ provider.name }}>
+    public sealed class {{ provider.name }} : IConfigureOptions<OpenIddictClientOptions>,
+                                              IPostConfigureOptions<OpenIddictClientWebIntegrationOptions.{{ provider.name }}>
     {
         private readonly IServiceProvider _provider;
 
@@ -783,7 +783,7 @@ using static OpenIddict.Client.WebIntegration.OpenIddictClientWebIntegrationCons
 
 namespace OpenIddict.Client.WebIntegration;
 
-public partial class OpenIddictClientWebIntegrationHelpers
+public static partial class OpenIddictClientWebIntegrationHelpers
 {
     {{~ for provider in providers ~}}
     /// <summary>
@@ -815,13 +815,13 @@ using Microsoft.IdentityModel.Tokens;
 
 namespace OpenIddict.Client.WebIntegration;
 
-public partial class OpenIddictClientWebIntegrationOptions
+public sealed partial class OpenIddictClientWebIntegrationOptions
 {
     {{~ for provider in providers ~}}
     /// <summary>
     /// Provides various options needed to configure the {{ provider.name }} integration.
     /// </summary>
-    public class {{ provider.name }}
+    public sealed class {{ provider.name }}
     {
         /// <summary>
         /// Gets or sets the client identifier.

src/OpenIddict.Abstractions/OpenIddictBuilder.cs

@@ -11,7 +11,7 @@ namespace Microsoft.Extensions.DependencyInjection;
 /// <summary>
 /// Provides a shared entry point allowing to configure the OpenIddict services.
 /// </summary>
-public class OpenIddictBuilder
+public sealed class OpenIddictBuilder
 {
     /// <summary>
     /// Initializes a new instance of <see cref="OpenIddictBuilder"/>.

src/OpenIddict.Abstractions/OpenIddictExceptions.cs

@@ -11,7 +11,7 @@ public static class OpenIddictExceptions
     /// <summary>
     /// Represents an OpenIddict concurrency exception.
     /// </summary>
-    public class ConcurrencyException : Exception
+    public sealed class ConcurrencyException : Exception
     {
         /// <summary>
         /// Creates a new <see cref="ConcurrencyException"/>.
@@ -36,7 +36,7 @@ public static class OpenIddictExceptions
     /// <summary>
     /// Represents an OpenIddict protocol exception.
     /// </summary>
-    public class ProtocolException : Exception
+    public sealed class ProtocolException : Exception
     {
         /// <summary>
         /// Creates a new <see cref="ProtocolException"/>.
@@ -102,7 +102,7 @@ public static class OpenIddictExceptions
     /// <summary>
     /// Represents an OpenIddict validation exception.
     /// </summary>
-    public class ValidationException : Exception
+    public sealed class ValidationException : Exception
     {
         /// <summary>
         /// Creates a new <see cref="ValidationException"/>.

src/OpenIddict.Abstractions/Primitives/OpenIddictConfiguration.cs

@@ -14,7 +14,7 @@ namespace OpenIddict.Abstractions;
 /// <remarks>
 /// Note: depending on the stack used to produce this instance, only a few select properties may be available.
 /// </remarks>
-public class OpenIddictConfiguration
+public sealed class OpenIddictConfiguration
 {
     /// <summary>
     /// Gets or sets the address of the authorization endpoint.
@@ -66,6 +66,11 @@ public class OpenIddictConfiguration
     /// </summary>
     public Uri? JwksUri { get; set; }
 
+    /// <summary>
+    /// Gets the additional properties.
+    /// </summary>
+    public Dictionary<string, object?> Properties { get; } = new(StringComparer.Ordinal);
+
     /// <summary>
     /// Gets the response mode supported by the server.
     /// </summary>

src/OpenIddict.Abstractions/Primitives/OpenIddictConverter.cs

@@ -12,7 +12,7 @@ namespace OpenIddict.Abstractions;
 /// <summary>
 /// Represents a JSON converter able to convert OpenIddict primitives.
 /// </summary>
-public class OpenIddictConverter : JsonConverter<OpenIddictMessage>
+public sealed class OpenIddictConverter : JsonConverter<OpenIddictMessage>
 {
     /// <summary>
     /// Determines whether the specified type is supported by this converter.

src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreBuilder.cs

@@ -14,7 +14,7 @@ namespace Microsoft.Extensions.DependencyInjection;
 /// Exposes the necessary methods required to configure
 /// the OpenIddict client ASP.NET Core integration.
 /// </summary>
-public class OpenIddictClientAspNetCoreBuilder
+public sealed class OpenIddictClientAspNetCoreBuilder
 {
     /// <summary>
     /// Initializes a new instance of <see cref="OpenIddictClientAspNetCoreBuilder"/>.

src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreConfiguration.cs

@@ -11,9 +11,9 @@ namespace OpenIddict.Client.AspNetCore;
 /// <summary>
 /// Contains the methods required to ensure that the OpenIddict client configuration is valid.
 /// </summary>
-public class OpenIddictClientAspNetCoreConfiguration : IConfigureOptions<AuthenticationOptions>,
-                                                       IConfigureOptions<OpenIddictClientOptions>,
-                                                       IPostConfigureOptions<AuthenticationOptions>
+public sealed class OpenIddictClientAspNetCoreConfiguration : IConfigureOptions<AuthenticationOptions>,
+                                                              IConfigureOptions<OpenIddictClientOptions>,
+                                                              IPostConfigureOptions<AuthenticationOptions>
 {
     /// <summary>
     /// Registers the OpenIddict client handler in the global authentication options.

src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreFeature.cs

@@ -9,7 +9,7 @@ namespace OpenIddict.Client.AspNetCore;
 /// <summary>
 /// Exposes the current client transaction to the ASP.NET Core host.
 /// </summary>
-public class OpenIddictClientAspNetCoreFeature
+public sealed class OpenIddictClientAspNetCoreFeature
 {
     /// <summary>
     /// Gets or sets the client transaction that encapsulates all specific

src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandler.cs

@@ -18,7 +18,7 @@ namespace OpenIddict.Client.AspNetCore;
 /// <summary>
 /// Provides the logic necessary to extract, validate and handle OpenID Connect requests.
 /// </summary>
-public class OpenIddictClientAspNetCoreHandler : AuthenticationHandler<OpenIddictClientAspNetCoreOptions>,
+public sealed class OpenIddictClientAspNetCoreHandler : AuthenticationHandler<OpenIddictClientAspNetCoreOptions>,
     IAuthenticationRequestHandler,
     IAuthenticationSignOutHandler
 {

src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandlerFilters.cs

@@ -19,7 +19,7 @@ public static class OpenIddictClientAspNetCoreHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if error pass-through was not enabled.
     /// </summary>
-    public class RequireErrorPassthroughEnabled : IOpenIddictClientHandlerFilter<BaseContext>
+    public sealed class RequireErrorPassthroughEnabled : IOpenIddictClientHandlerFilter<BaseContext>
     {
         private readonly IOptionsMonitor<OpenIddictClientAspNetCoreOptions> _options;
 
@@ -40,7 +40,7 @@ public static class OpenIddictClientAspNetCoreHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if no ASP.NET Core request can be found.
     /// </summary>
-    public class RequireHttpRequest : IOpenIddictClientHandlerFilter<BaseContext>
+    public sealed class RequireHttpRequest : IOpenIddictClientHandlerFilter<BaseContext>
     {
         public ValueTask<bool> IsActiveAsync(BaseContext context)
         {
@@ -57,7 +57,7 @@ public static class OpenIddictClientAspNetCoreHandlerFilters
     /// Represents a filter that excludes the associated handlers if the
     /// pass-through mode was not enabled for the post-logout redirection endpoint.
     /// </summary>
-    public class RequirePostLogoutRedirectionEndpointPassthroughEnabled : IOpenIddictClientHandlerFilter<BaseContext>
+    public sealed class RequirePostLogoutRedirectionEndpointPassthroughEnabled : IOpenIddictClientHandlerFilter<BaseContext>
     {
         private readonly IOptionsMonitor<OpenIddictClientAspNetCoreOptions> _options;
 
@@ -79,7 +79,7 @@ public static class OpenIddictClientAspNetCoreHandlerFilters
     /// Represents a filter that excludes the associated handlers if the
     /// pass-through mode was not enabled for the redirection endpoint.
     /// </summary>
-    public class RequireRedirectionEndpointPassthroughEnabled : IOpenIddictClientHandlerFilter<BaseContext>
+    public sealed class RequireRedirectionEndpointPassthroughEnabled : IOpenIddictClientHandlerFilter<BaseContext>
     {
         private readonly IOptionsMonitor<OpenIddictClientAspNetCoreOptions> _options;
 
@@ -100,7 +100,7 @@ public static class OpenIddictClientAspNetCoreHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if status code pages support was not enabled.
     /// </summary>
-    public class RequireStatusCodePagesIntegrationEnabled : IOpenIddictClientHandlerFilter<BaseContext>
+    public sealed class RequireStatusCodePagesIntegrationEnabled : IOpenIddictClientHandlerFilter<BaseContext>
     {
         private readonly IOptionsMonitor<OpenIddictClientAspNetCoreOptions> _options;
 

src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandlers.Authentication.cs

@@ -43,7 +43,7 @@ public static partial class OpenIddictClientAspNetCoreHandlers
         /// Contains the logic responsible for processing authorization requests using 302 redirects.
         /// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
         /// </summary>
-        public class ProcessQueryRequest : IOpenIddictClientHandler<ApplyAuthorizationRequestContext>
+        public sealed class ProcessQueryRequest : IOpenIddictClientHandler<ApplyAuthorizationRequestContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.

src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandlers.Session.cs

@@ -43,7 +43,7 @@ public static partial class OpenIddictClientAspNetCoreHandlers
         /// Contains the logic responsible for processing authorization requests using 302 redirects.
         /// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
         /// </summary>
-        public class ProcessQueryRequest : IOpenIddictClientHandler<ApplyLogoutRequestContext>
+        public sealed class ProcessQueryRequest : IOpenIddictClientHandler<ApplyLogoutRequestContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.

src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandlers.cs

@@ -59,7 +59,7 @@ public static partial class OpenIddictClientAspNetCoreHandlers
     /// Contains the logic responsible for inferring the endpoint type from the request address.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
     /// </summary>
-    public class InferEndpointType : IOpenIddictClientHandler<ProcessRequestContext>
+    public sealed class InferEndpointType : IOpenIddictClientHandler<ProcessRequestContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -148,7 +148,7 @@ public static partial class OpenIddictClientAspNetCoreHandlers
     /// Contains the logic responsible for extracting OpenID Connect requests from GET or POST HTTP requests.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
     /// </summary>
-    public class ExtractGetOrPostRequest<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseValidatingContext
+    public sealed class ExtractGetOrPostRequest<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseValidatingContext
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -228,7 +228,7 @@ public static partial class OpenIddictClientAspNetCoreHandlers
     /// Contains the logic responsible for resolving the request forgery protection from the correlation cookie.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
     /// </summary>
-    public class ResolveRequestForgeryProtection : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ResolveRequestForgeryProtection : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         private readonly IOptionsMonitor<OpenIddictClientAspNetCoreOptions> _options;
 
@@ -351,7 +351,7 @@ public static partial class OpenIddictClientAspNetCoreHandlers
     /// Contains the logic responsible for comparing the current request URL to the expected URL stored in the state token.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
     /// </summary>
-    public class ValidateEndpointUri : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateEndpointUri : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -456,7 +456,7 @@ public static partial class OpenIddictClientAspNetCoreHandlers
     /// ASP.NET Core authentication properties specified by the application that triggered the challenge operation.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
     /// </summary>
-    public class ResolveHostChallengeProperties : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class ResolveHostChallengeProperties : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -556,7 +556,7 @@ public static partial class OpenIddictClientAspNetCoreHandlers
     /// protection against state token injection, forged requests and session fixation attacks.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
     /// </summary>
-    public class GenerateLoginCorrelationCookie : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class GenerateLoginCorrelationCookie : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         private readonly IOptionsMonitor<OpenIddictClientAspNetCoreOptions> _options;
 
@@ -649,7 +649,7 @@ public static partial class OpenIddictClientAspNetCoreHandlers
     /// ASP.NET Core authentication properties specified by the application that triggered the sign-out operation.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
     /// </summary>
-    public class ResolveHostSignOutProperties : IOpenIddictClientHandler<ProcessSignOutContext>
+    public sealed class ResolveHostSignOutProperties : IOpenIddictClientHandler<ProcessSignOutContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -749,7 +749,7 @@ public static partial class OpenIddictClientAspNetCoreHandlers
     /// protection against state token injection, forged requests and denial of service attacks.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
     /// </summary>
-    public class GenerateLogoutCorrelationCookie : IOpenIddictClientHandler<ProcessSignOutContext>
+    public sealed class GenerateLogoutCorrelationCookie : IOpenIddictClientHandler<ProcessSignOutContext>
     {
         private readonly IOptionsMonitor<OpenIddictClientAspNetCoreOptions> _options;
 
@@ -840,7 +840,7 @@ public static partial class OpenIddictClientAspNetCoreHandlers
     /// Contains the logic responsible for enabling the pass-through mode for the received request.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
     /// </summary>
-    public class EnablePassthroughMode<TContext, TFilter> : IOpenIddictClientHandler<TContext>
+    public sealed class EnablePassthroughMode<TContext, TFilter> : IOpenIddictClientHandler<TContext>
         where TContext : BaseRequestContext
         where TFilter : IOpenIddictClientHandlerFilter<TContext>
     {
@@ -874,7 +874,7 @@ public static partial class OpenIddictClientAspNetCoreHandlers
     /// Contains the logic responsible for attaching an appropriate HTTP status code.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
     /// </summary>
-    public class AttachHttpResponseCode<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseRequestContext
+    public sealed class AttachHttpResponseCode<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseRequestContext
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -917,7 +917,7 @@ public static partial class OpenIddictClientAspNetCoreHandlers
     /// Contains the logic responsible for attaching the appropriate HTTP response cache headers.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
     /// </summary>
-    public class AttachCacheControlHeader<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseRequestContext
+    public sealed class AttachCacheControlHeader<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseRequestContext
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -957,7 +957,7 @@ public static partial class OpenIddictClientAspNetCoreHandlers
     /// middleware in the pipeline at a later stage (e.g an ASP.NET Core MVC action or a NancyFX module).
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
     /// </summary>
-    public class ProcessPassthroughErrorResponse<TContext, TFilter> : IOpenIddictClientHandler<TContext>
+    public sealed class ProcessPassthroughErrorResponse<TContext, TFilter> : IOpenIddictClientHandler<TContext>
         where TContext : BaseRequestContext
         where TFilter : IOpenIddictClientHandlerFilter<TContext>
     {
@@ -999,7 +999,7 @@ public static partial class OpenIddictClientAspNetCoreHandlers
     /// Contains the logic responsible for processing OpenID Connect responses handled by the status code pages middleware.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
     /// </summary>
-    public class ProcessStatusCodePagesErrorResponse<TContext> : IOpenIddictClientHandler<TContext>
+    public sealed class ProcessStatusCodePagesErrorResponse<TContext> : IOpenIddictClientHandler<TContext>
         where TContext : BaseRequestContext
     {
         /// <summary>
@@ -1056,7 +1056,7 @@ public static partial class OpenIddictClientAspNetCoreHandlers
     /// Contains the logic responsible for processing context responses that must be returned as plain-text.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
     /// </summary>
-    public class ProcessLocalErrorResponse<TContext> : IOpenIddictClientHandler<TContext>
+    public sealed class ProcessLocalErrorResponse<TContext> : IOpenIddictClientHandler<TContext>
         where TContext : BaseRequestContext
     {
         /// <summary>
@@ -1130,7 +1130,7 @@ public static partial class OpenIddictClientAspNetCoreHandlers
     /// Contains the logic responsible for processing OpenID Connect responses that don't specify any parameter.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by ASP.NET Core.
     /// </summary>
-    public class ProcessEmptyResponse<TContext> : IOpenIddictClientHandler<TContext>
+    public sealed class ProcessEmptyResponse<TContext> : IOpenIddictClientHandler<TContext>
         where TContext : BaseRequestContext
     {
         /// <summary>

src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreOptions.cs

@@ -11,7 +11,7 @@ namespace OpenIddict.Client.AspNetCore;
 /// <summary>
 /// Provides various settings needed to configure the OpenIddict ASP.NET Core client integration.
 /// </summary>
-public class OpenIddictClientAspNetCoreOptions : AuthenticationSchemeOptions
+public sealed class OpenIddictClientAspNetCoreOptions : AuthenticationSchemeOptions
 {
     /// <summary>
     /// Gets or sets a boolean indicating whether the pass-through mode is enabled for the post-logout redirection endpoint.

src/OpenIddict.Client.DataProtection/OpenIddictClientDataProtectionBuilder.cs

@@ -14,7 +14,7 @@ namespace Microsoft.Extensions.DependencyInjection;
 /// Exposes the necessary methods required to configure the
 /// OpenIddict ASP.NET Core Data Protection integration.
 /// </summary>
-public class OpenIddictClientDataProtectionBuilder
+public sealed class OpenIddictClientDataProtectionBuilder
 {
     /// <summary>
     /// Initializes a new instance of <see cref="OpenIddictClientDataProtectionBuilder"/>.

src/OpenIddict.Client.DataProtection/OpenIddictClientDataProtectionConfiguration.cs

@@ -12,8 +12,8 @@ namespace OpenIddict.Client.DataProtection;
 /// <summary>
 /// Contains the methods required to ensure that the OpenIddict ASP.NET Core Data Protection configuration is valid.
 /// </summary>
-public class OpenIddictClientDataProtectionConfiguration : IConfigureOptions<OpenIddictClientOptions>,
-                                                           IPostConfigureOptions<OpenIddictClientDataProtectionOptions>
+public sealed class OpenIddictClientDataProtectionConfiguration : IConfigureOptions<OpenIddictClientOptions>,
+                                                                  IPostConfigureOptions<OpenIddictClientDataProtectionOptions>
 {
     private readonly IDataProtectionProvider _dataProtectionProvider;
 

src/OpenIddict.Client.DataProtection/OpenIddictClientDataProtectionFormatter.cs

@@ -13,7 +13,7 @@ using Properties = OpenIddict.Client.DataProtection.OpenIddictClientDataProtecti
 
 namespace OpenIddict.Client.DataProtection;
 
-public class OpenIddictClientDataProtectionFormatter : IOpenIddictClientDataProtectionFormatter
+public sealed class OpenIddictClientDataProtectionFormatter : IOpenIddictClientDataProtectionFormatter
 {
     public ClaimsPrincipal ReadToken(BinaryReader reader)
     {

src/OpenIddict.Client.DataProtection/OpenIddictClientDataProtectionHandlerFilters.cs

@@ -15,7 +15,7 @@ public static class OpenIddictClientDataProtectionHandlerFilters
     /// Represents a filter that excludes the associated handlers if
     /// the selected token format is not ASP.NET Core Data Protection.
     /// </summary>
-    public class RequireDataProtectionTokenFormat : IOpenIddictClientHandlerFilter<GenerateTokenContext>
+    public sealed class RequireDataProtectionTokenFormat : IOpenIddictClientHandlerFilter<GenerateTokenContext>
     {
         public ValueTask<bool> IsActiveAsync(GenerateTokenContext context)
         {

src/OpenIddict.Client.DataProtection/OpenIddictClientDataProtectionHandlers.Protection.cs

@@ -35,7 +35,7 @@ public static partial class OpenIddictClientDataProtectionHandlers
         /// <summary>
         /// Contains the logic responsible for validating tokens generated using Data Protection.
         /// </summary>
-        public class ValidateDataProtectionToken : IOpenIddictClientHandler<ValidateTokenContext>
+        public sealed class ValidateDataProtectionToken : IOpenIddictClientHandler<ValidateTokenContext>
         {
             private readonly IOptionsMonitor<OpenIddictClientDataProtectionOptions> _options;
 
@@ -138,7 +138,7 @@ public static partial class OpenIddictClientDataProtectionHandlers
         /// Contains the logic responsible for overriding the default token format
         /// to generate ASP.NET Core Data Protection tokens instead of JSON Web Tokens.
         /// </summary>
-        public class OverrideGeneratedTokenFormat : IOpenIddictClientHandler<GenerateTokenContext>
+        public sealed class OverrideGeneratedTokenFormat : IOpenIddictClientHandler<GenerateTokenContext>
         {
             private readonly IOptionsMonitor<OpenIddictClientDataProtectionOptions> _options;
 
@@ -184,7 +184,7 @@ public static partial class OpenIddictClientDataProtectionHandlers
         /// <summary>
         /// Contains the logic responsible for generating a token using Data Protection.
         /// </summary>
-        public class GenerateDataProtectionToken : IOpenIddictClientHandler<GenerateTokenContext>
+        public sealed class GenerateDataProtectionToken : IOpenIddictClientHandler<GenerateTokenContext>
         {
             private readonly IOptionsMonitor<OpenIddictClientDataProtectionOptions> _options;
 

src/OpenIddict.Client.DataProtection/OpenIddictClientDataProtectionOptions.cs

@@ -12,7 +12,7 @@ namespace OpenIddict.Client.DataProtection;
 /// Provides various settings needed to configure the OpenIddict
 /// ASP.NET Core Data Protection server integration.
 /// </summary>
-public class OpenIddictClientDataProtectionOptions
+public sealed class OpenIddictClientDataProtectionOptions
 {
     /// <summary>
     /// Gets or sets the data protection provider used to create the default

src/OpenIddict.Client.Owin/OpenIddictClientOwinBuilder.cs

@@ -14,7 +14,7 @@ namespace Microsoft.Extensions.DependencyInjection;
 /// Exposes the necessary methods required to configure
 /// the OpenIddict client OWIN/Katana integration.
 /// </summary>
-public class OpenIddictClientOwinBuilder
+public sealed class OpenIddictClientOwinBuilder
 {
     /// <summary>
     /// Initializes a new instance of <see cref="OpenIddictClientOwinBuilder"/>.

src/OpenIddict.Client.Owin/OpenIddictClientOwinConfiguration.cs

@@ -11,8 +11,8 @@ namespace OpenIddict.Client.Owin;
 /// <summary>
 /// Contains the methods required to ensure that the OpenIddict client configuration is valid.
 /// </summary>
-public class OpenIddictClientOwinConfiguration : IConfigureOptions<OpenIddictClientOptions>,
-                                                 IPostConfigureOptions<OpenIddictClientOwinOptions>
+public sealed class OpenIddictClientOwinConfiguration : IConfigureOptions<OpenIddictClientOptions>,
+                                                        IPostConfigureOptions<OpenIddictClientOwinOptions>
 {
     public void Configure(OpenIddictClientOptions options)
     {

src/OpenIddict.Client.Owin/OpenIddictClientOwinHandler.cs

@@ -16,7 +16,7 @@ namespace OpenIddict.Client.Owin;
 /// <summary>
 /// Provides the entry point necessary to register the OpenIddict client in an OWIN pipeline.
 /// </summary>
-public class OpenIddictClientOwinHandler : AuthenticationHandler<OpenIddictClientOwinOptions>
+public sealed class OpenIddictClientOwinHandler : AuthenticationHandler<OpenIddictClientOwinOptions>
 {
     private readonly IOpenIddictClientDispatcher _dispatcher;
     private readonly IOpenIddictClientFactory _factory;

src/OpenIddict.Client.Owin/OpenIddictClientOwinHandlerFilters.cs

@@ -20,7 +20,7 @@ public static class OpenIddictClientOwinHandlerFilters
     /// Represents a filter that excludes the associated handlers if the
     /// pass-through mode was not enabled for the post-logout redirection endpoint.
     /// </summary>
-    public class RequirePostLogoutRedirectionEndpointPassthroughEnabled : IOpenIddictClientHandlerFilter<BaseContext>
+    public sealed class RequirePostLogoutRedirectionEndpointPassthroughEnabled : IOpenIddictClientHandlerFilter<BaseContext>
     {
         private readonly IOptionsMonitor<OpenIddictClientOwinOptions> _options;
 
@@ -42,7 +42,7 @@ public static class OpenIddictClientOwinHandlerFilters
     /// Represents a filter that excludes the associated handlers if the
     /// pass-through mode was not enabled for the redirection endpoint.
     /// </summary>
-    public class RequireRedirectionEndpointPassthroughEnabled : IOpenIddictClientHandlerFilter<BaseContext>
+    public sealed class RequireRedirectionEndpointPassthroughEnabled : IOpenIddictClientHandlerFilter<BaseContext>
     {
         private readonly IOptionsMonitor<OpenIddictClientOwinOptions> _options;
 
@@ -63,7 +63,7 @@ public static class OpenIddictClientOwinHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if error pass-through was not enabled.
     /// </summary>
-    public class RequireErrorPassthroughEnabled : IOpenIddictClientHandlerFilter<BaseContext>
+    public sealed class RequireErrorPassthroughEnabled : IOpenIddictClientHandlerFilter<BaseContext>
     {
         private readonly IOptionsMonitor<OpenIddictClientOwinOptions> _options;
 
@@ -84,7 +84,7 @@ public static class OpenIddictClientOwinHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if no OWIN request can be found.
     /// </summary>
-    public class RequireOwinRequest : IOpenIddictClientHandlerFilter<BaseContext>
+    public sealed class RequireOwinRequest : IOpenIddictClientHandlerFilter<BaseContext>
     {
         public ValueTask<bool> IsActiveAsync(BaseContext context)
         {

src/OpenIddict.Client.Owin/OpenIddictClientOwinHandlers.Authentication.cs

@@ -43,7 +43,7 @@ public static partial class OpenIddictClientOwinHandlers
         /// Contains the logic responsible for processing authorization requests using 302 redirects.
         /// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
         /// </summary>
-        public class ProcessQueryRequest : IOpenIddictClientHandler<ApplyAuthorizationRequestContext>
+        public sealed class ProcessQueryRequest : IOpenIddictClientHandler<ApplyAuthorizationRequestContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.

src/OpenIddict.Client.Owin/OpenIddictClientOwinHandlers.Session.cs

@@ -41,7 +41,7 @@ public static partial class OpenIddictClientOwinHandlers
         /// Contains the logic responsible for processing authorization requests using 302 redirects.
         /// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
         /// </summary>
-        public class ProcessQueryRequest : IOpenIddictClientHandler<ApplyLogoutRequestContext>
+        public sealed class ProcessQueryRequest : IOpenIddictClientHandler<ApplyLogoutRequestContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.

src/OpenIddict.Client.Owin/OpenIddictClientOwinHandlers.cs

@@ -55,7 +55,7 @@ public static partial class OpenIddictClientOwinHandlers
     /// Contains the logic responsible for inferring the endpoint type from the request address.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
     /// </summary>
-    public class InferEndpointType : IOpenIddictClientHandler<ProcessRequestContext>
+    public sealed class InferEndpointType : IOpenIddictClientHandler<ProcessRequestContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -147,7 +147,7 @@ public static partial class OpenIddictClientOwinHandlers
     /// Contains the logic responsible for extracting OpenID Connect requests from GET or POST HTTP requests.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
     /// </summary>
-    public class ExtractGetOrPostRequest<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseValidatingContext
+    public sealed class ExtractGetOrPostRequest<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseValidatingContext
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -227,7 +227,7 @@ public static partial class OpenIddictClientOwinHandlers
     /// Contains the logic responsible for resolving the request forgery protection from the correlation cookie.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
     /// </summary>
-    public class ResolveRequestForgeryProtection : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ResolveRequestForgeryProtection : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         private readonly IOptionsMonitor<OpenIddictClientOwinOptions> _options;
 
@@ -359,7 +359,7 @@ public static partial class OpenIddictClientOwinHandlers
     /// Contains the logic responsible for comparing the current request URL to the expected URL stored in the state token.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
     /// </summary>
-    public class ValidateEndpointUri : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateEndpointUri : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -467,7 +467,7 @@ public static partial class OpenIddictClientOwinHandlers
     /// OWIN authentication properties specified by the application that triggered the challenge operation.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
     /// </summary>
-    public class ResolveHostChallengeProperties : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class ResolveHostChallengeProperties : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -585,7 +585,7 @@ public static partial class OpenIddictClientOwinHandlers
     /// protection against state token injection, forged requests and session fixation attacks.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
     /// </summary>
-    public class GenerateLoginCorrelationCookie : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class GenerateLoginCorrelationCookie : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         private readonly IOptionsMonitor<OpenIddictClientOwinOptions> _options;
 
@@ -686,7 +686,7 @@ public static partial class OpenIddictClientOwinHandlers
     /// OWIN authentication properties specified by the application that triggered the sign-out operation.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
     /// </summary>
-    public class ResolveHostSignOutProperties : IOpenIddictClientHandler<ProcessSignOutContext>
+    public sealed class ResolveHostSignOutProperties : IOpenIddictClientHandler<ProcessSignOutContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -804,7 +804,7 @@ public static partial class OpenIddictClientOwinHandlers
     /// protection against state token injection, forged requests and denial of service attacks.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
     /// </summary>
-    public class GenerateLogoutCorrelationCookie : IOpenIddictClientHandler<ProcessSignOutContext>
+    public sealed class GenerateLogoutCorrelationCookie : IOpenIddictClientHandler<ProcessSignOutContext>
     {
         private readonly IOptionsMonitor<OpenIddictClientOwinOptions> _options;
 
@@ -903,7 +903,7 @@ public static partial class OpenIddictClientOwinHandlers
     /// Contains the logic responsible for enabling the pass-through mode for the received request.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
     /// </summary>
-    public class EnablePassthroughMode<TContext, TFilter> : IOpenIddictClientHandler<TContext>
+    public sealed class EnablePassthroughMode<TContext, TFilter> : IOpenIddictClientHandler<TContext>
         where TContext : BaseRequestContext
         where TFilter : IOpenIddictClientHandlerFilter<TContext>
     {
@@ -937,7 +937,7 @@ public static partial class OpenIddictClientOwinHandlers
     /// Contains the logic responsible for attaching an appropriate HTTP status code.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
     /// </summary>
-    public class AttachHttpResponseCode<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseRequestContext
+    public sealed class AttachHttpResponseCode<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseRequestContext
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -980,7 +980,7 @@ public static partial class OpenIddictClientOwinHandlers
     /// Contains the logic responsible for attaching an OWIN response chalenge to the context, if necessary.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
     /// </summary>
-    public class AttachOwinResponseChallenge<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseRequestContext
+    public sealed class AttachOwinResponseChallenge<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseRequestContext
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -1032,7 +1032,7 @@ public static partial class OpenIddictClientOwinHandlers
     /// Contains the logic responsible for suppressing the redirection applied by FormsAuthenticationModule, if necessary.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
     /// </summary>
-    public class SuppressFormsAuthenticationRedirect<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseRequestContext
+    public sealed class SuppressFormsAuthenticationRedirect<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseRequestContext
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -1099,7 +1099,7 @@ public static partial class OpenIddictClientOwinHandlers
     /// Contains the logic responsible for attaching the appropriate HTTP response cache headers.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
     /// </summary>
-    public class AttachCacheControlHeader<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseRequestContext
+    public sealed class AttachCacheControlHeader<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseRequestContext
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -1139,7 +1139,7 @@ public static partial class OpenIddictClientOwinHandlers
     /// middleware in the pipeline at a later stage (e.g an ASP.NET MVC action or a NancyFX module).
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
     /// </summary>
-    public class ProcessPassthroughErrorResponse<TContext, TFilter> : IOpenIddictClientHandler<TContext>
+    public sealed class ProcessPassthroughErrorResponse<TContext, TFilter> : IOpenIddictClientHandler<TContext>
         where TContext : BaseRequestContext
         where TFilter : IOpenIddictClientHandlerFilter<TContext>
     {
@@ -1181,7 +1181,7 @@ public static partial class OpenIddictClientOwinHandlers
     /// Contains the logic responsible for processing context responses that must be returned as plain-text.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
     /// </summary>
-    public class ProcessLocalErrorResponse<TContext> : IOpenIddictClientHandler<TContext>
+    public sealed class ProcessLocalErrorResponse<TContext> : IOpenIddictClientHandler<TContext>
         where TContext : BaseRequestContext
     {
         /// <summary>
@@ -1255,7 +1255,7 @@ public static partial class OpenIddictClientOwinHandlers
     /// Contains the logic responsible for processing OpenID Connect responses that don't specify any parameter.
     /// Note: this handler is not used when the OpenID Connect request is not initially handled by OWIN.
     /// </summary>
-    public class ProcessEmptyResponse<TContext> : IOpenIddictClientHandler<TContext>
+    public sealed class ProcessEmptyResponse<TContext> : IOpenIddictClientHandler<TContext>
         where TContext : BaseRequestContext
     {
         /// <summary>

src/OpenIddict.Client.Owin/OpenIddictClientOwinMiddleware.cs

@@ -15,7 +15,7 @@ namespace OpenIddict.Client.Owin;
 /// that support middleware resolution, like Autofac. Since it depends on scoped services,
 /// it is NOT recommended to instantiate it as a singleton like a regular OWIN middleware.
 /// </summary>
-public class OpenIddictClientOwinMiddleware : AuthenticationMiddleware<OpenIddictClientOwinOptions>
+public sealed class OpenIddictClientOwinMiddleware : AuthenticationMiddleware<OpenIddictClientOwinOptions>
 {
     private readonly IOpenIddictClientDispatcher _dispatcher;
     private readonly IOpenIddictClientFactory _factory;

src/OpenIddict.Client.Owin/OpenIddictClientOwinMiddlewareFactory.cs

@@ -13,7 +13,7 @@ namespace OpenIddict.Client.Owin;
 /// Provides the entry point necessary to instantiate and register the scoped
 /// <see cref="OpenIddictClientOwinMiddleware"/> in an OWIN/Katana pipeline.
 /// </summary>
-public class OpenIddictClientOwinMiddlewareFactory : OwinMiddleware
+public sealed class OpenIddictClientOwinMiddlewareFactory : OwinMiddleware
 {
     /// <summary>
     /// Creates a new instance of the <see cref="OpenIddictClientOwinMiddlewareFactory"/> class.

src/OpenIddict.Client.Owin/OpenIddictClientOwinOptions.cs

@@ -11,7 +11,7 @@ namespace OpenIddict.Client.Owin;
 /// <summary>
 /// Provides various settings needed to configure the OpenIddict OWIN client integration.
 /// </summary>
-public class OpenIddictClientOwinOptions : AuthenticationOptions
+public sealed class OpenIddictClientOwinOptions : AuthenticationOptions
 {
     /// <summary>
     /// Creates a new instance of the <see cref="OpenIddictClientOwinOptions"/> class.

src/OpenIddict.Client.SystemNetHttp/OpenIddictClientSystemNetHttpBuilder.cs

@@ -15,7 +15,7 @@ namespace Microsoft.Extensions.DependencyInjection;
 /// <summary>
 /// Exposes the necessary methods required to configure the OpenIddict client/System.Net.Http integration.
 /// </summary>
-public class OpenIddictClientSystemNetHttpBuilder
+public sealed class OpenIddictClientSystemNetHttpBuilder
 {
     /// <summary>
     /// Initializes a new instance of <see cref="OpenIddictClientBuilder"/>.

src/OpenIddict.Client.SystemNetHttp/OpenIddictClientSystemNetHttpConfiguration.cs

@@ -13,8 +13,8 @@ namespace OpenIddict.Client.SystemNetHttp;
 /// <summary>
 /// Contains the methods required to ensure that the OpenIddict client/System.Net.Http integration configuration is valid.
 /// </summary>
-public class OpenIddictClientSystemNetHttpConfiguration : IConfigureOptions<OpenIddictClientOptions>,
-                                                          IConfigureNamedOptions<HttpClientFactoryOptions>
+public sealed class OpenIddictClientSystemNetHttpConfiguration : IConfigureOptions<OpenIddictClientOptions>,
+                                                                 IConfigureNamedOptions<HttpClientFactoryOptions>
 {
 #if !SUPPORTS_SERVICE_PROVIDER_IN_HTTP_MESSAGE_HANDLER_BUILDER
     private readonly IServiceProvider _provider;

src/OpenIddict.Client.SystemNetHttp/OpenIddictClientSystemNetHttpHandlerFilters.cs

@@ -14,7 +14,7 @@ public static class OpenIddictClientSystemNetHttpHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if the metadata address of the issuer is not available.
     /// </summary>
-    public class RequireHttpMetadataAddress : IOpenIddictClientHandlerFilter<BaseExternalContext>
+    public sealed class RequireHttpMetadataAddress : IOpenIddictClientHandlerFilter<BaseExternalContext>
     {
         public ValueTask<bool> IsActiveAsync(BaseExternalContext context)
         {

src/OpenIddict.Client.SystemNetHttp/OpenIddictClientSystemNetHttpHandlers.Exchange.cs

@@ -39,7 +39,7 @@ public static partial class OpenIddictClientSystemNetHttpHandlers
         /// <summary>
         /// Contains the logic responsible for attaching the client credentials to the HTTP Authorization header.
         /// </summary>
-        public class AttachBasicAuthenticationCredentials : IOpenIddictClientHandler<PrepareTokenRequestContext>
+        public sealed class AttachBasicAuthenticationCredentials : IOpenIddictClientHandler<PrepareTokenRequestContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.

src/OpenIddict.Client.SystemNetHttp/OpenIddictClientSystemNetHttpHandlers.Userinfo.cs

@@ -40,7 +40,7 @@ public static partial class OpenIddictClientSystemNetHttpHandlers
         /// <summary>
         /// Contains the logic responsible for attaching the access token to the HTTP Authorization header.
         /// </summary>
-        public class AttachBearerAccessToken : IOpenIddictClientHandler<PrepareUserinfoRequestContext>
+        public sealed class AttachBearerAccessToken : IOpenIddictClientHandler<PrepareUserinfoRequestContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -81,7 +81,7 @@ public static partial class OpenIddictClientSystemNetHttpHandlers
         /// <summary>
         /// Contains the logic responsible for extracting the response from the userinfo response.
         /// </summary>
-        public class ExtractUserinfoTokenHttpResponse : IOpenIddictClientHandler<ExtractUserinfoResponseContext>
+        public sealed class ExtractUserinfoTokenHttpResponse : IOpenIddictClientHandler<ExtractUserinfoResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.

src/OpenIddict.Client.SystemNetHttp/OpenIddictClientSystemNetHttpHandlers.cs

@@ -30,7 +30,7 @@ public static partial class OpenIddictClientSystemNetHttpHandlers
     /// <summary>
     /// Contains the logic responsible for preparing an HTTP GET request message.
     /// </summary>
-    public class PrepareGetHttpRequest<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
+    public sealed class PrepareGetHttpRequest<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -62,7 +62,7 @@ public static partial class OpenIddictClientSystemNetHttpHandlers
     /// <summary>
     /// Contains the logic responsible for preparing an HTTP POST request message.
     /// </summary>
-    public class PreparePostHttpRequest<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
+    public sealed class PreparePostHttpRequest<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -95,7 +95,7 @@ public static partial class OpenIddictClientSystemNetHttpHandlers
     /// Contains the logic responsible for attaching the appropriate HTTP
     /// Accept-* headers to the HTTP request message to receive JSON responses.
     /// </summary>
-    public class AttachJsonAcceptHeaders<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
+    public sealed class AttachJsonAcceptHeaders<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -135,7 +135,7 @@ public static partial class OpenIddictClientSystemNetHttpHandlers
     /// <summary>
     /// Contains the logic responsible for attaching the user agent to the HTTP request.
     /// </summary>
-    public class AttachUserAgentHeader<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
+    public sealed class AttachUserAgentHeader<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
     {
         private readonly IOptionsMonitor<OpenIddictClientSystemNetHttpOptions> _options;
 
@@ -189,7 +189,7 @@ public static partial class OpenIddictClientSystemNetHttpHandlers
     /// <summary>
     /// Contains the logic responsible for attaching the query string parameters to the HTTP request.
     /// </summary>
-    public class AttachQueryStringParameters<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
+    public sealed class AttachQueryStringParameters<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -234,7 +234,7 @@ public static partial class OpenIddictClientSystemNetHttpHandlers
     /// <summary>
     /// Contains the logic responsible for attaching the form parameters to the HTTP request.
     /// </summary>
-    public class AttachFormParameters<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
+    public sealed class AttachFormParameters<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -276,7 +276,7 @@ public static partial class OpenIddictClientSystemNetHttpHandlers
     /// <summary>
     /// Contains the logic responsible for sending the HTTP request to the remote server.
     /// </summary>
-    public class SendHttpRequest<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
+    public sealed class SendHttpRequest<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
     {
         private readonly IHttpClientFactory _factory;
 
@@ -354,7 +354,7 @@ public static partial class OpenIddictClientSystemNetHttpHandlers
     /// <summary>
     /// Contains the logic responsible for disposing of the HTTP request message.
     /// </summary>
-    public class DisposeHttpRequest<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
+    public sealed class DisposeHttpRequest<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -392,7 +392,7 @@ public static partial class OpenIddictClientSystemNetHttpHandlers
     /// <summary>
     /// Contains the logic responsible for decompressing the returned HTTP content.
     /// </summary>
-    public class DecompressResponseContent<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
+    public sealed class DecompressResponseContent<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -531,7 +531,7 @@ public static partial class OpenIddictClientSystemNetHttpHandlers
     /// <summary>
     /// Contains the logic responsible for extracting the response from the JSON-encoded HTTP body.
     /// </summary>
-    public class ExtractJsonHttpResponse<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
+    public sealed class ExtractJsonHttpResponse<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -599,7 +599,7 @@ public static partial class OpenIddictClientSystemNetHttpHandlers
     /// <summary>
     /// Contains the logic responsible for extracting errors from WWW-Authenticate headers.
     /// </summary>
-    public class ExtractWwwAuthenticateHeader<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
+    public sealed class ExtractWwwAuthenticateHeader<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -682,7 +682,7 @@ public static partial class OpenIddictClientSystemNetHttpHandlers
     /// <summary>
     /// Contains the logic responsible for extracting errors from WWW-Authenticate headers.
     /// </summary>
-    public class ValidateHttpResponse<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
+    public sealed class ValidateHttpResponse<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -752,7 +752,7 @@ public static partial class OpenIddictClientSystemNetHttpHandlers
     /// <summary>
     /// Contains the logic responsible for disposing of the HTTP response message.
     /// </summary>
-    public class DisposeHttpResponse<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
+    public sealed class DisposeHttpResponse<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseExternalContext
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.

src/OpenIddict.Client.SystemNetHttp/OpenIddictClientSystemNetHttpOptions.cs

@@ -14,7 +14,7 @@ namespace OpenIddict.Client.SystemNetHttp;
 /// <summary>
 /// Provides various settings needed to configure the OpenIddict client/System.Net.Http integration.
 /// </summary>
-public class OpenIddictClientSystemNetHttpOptions
+public sealed class OpenIddictClientSystemNetHttpOptions
 {
     /// <summary>
     /// Gets or sets the HTTP Polly error policy used by the internal OpenIddict HTTP clients.

src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationBuilder.cs

@@ -6,11 +6,11 @@
 
 using System.ComponentModel;
 using OpenIddict.Client.WebIntegration;
-using OpenIddict.Extensions;
 
 #if SUPPORTS_PEM_ENCODED_KEY_IMPORT
 using System.Security.Cryptography;
 using Microsoft.IdentityModel.Tokens;
+using OpenIddict.Extensions;
 #endif
 
 namespace Microsoft.Extensions.DependencyInjection;
@@ -18,7 +18,7 @@ namespace Microsoft.Extensions.DependencyInjection;
 /// <summary>
 /// Exposes the necessary methods required to configure the OpenIddict client services.
 /// </summary>
-public partial class OpenIddictClientWebIntegrationBuilder
+public sealed partial class OpenIddictClientWebIntegrationBuilder
 {
     /// <summary>
     /// Initializes a new instance of <see cref="OpenIddictClientWebIntegrationBuilder"/>.

src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationConfiguration.cs

@@ -11,7 +11,7 @@ namespace OpenIddict.Client.WebIntegration;
 /// <summary>
 /// Contains the methods required to ensure that the OpenIddict client Web integration configuration is valid.
 /// </summary>
-public partial class OpenIddictClientWebIntegrationConfiguration : IConfigureOptions<OpenIddictClientOptions>
+public sealed partial class OpenIddictClientWebIntegrationConfiguration : IConfigureOptions<OpenIddictClientOptions>
 {
     /// <summary>
     /// Populates the default OpenIddict client Web integration options

src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Discovery.cs

@@ -26,7 +26,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
         /// <summary>
         /// Contains the logic responsible for amending the issuer for the providers that require it.
         /// </summary>
-        public class AmendIssuer : IOpenIddictClientHandler<HandleConfigurationResponseContext>
+        public sealed class AmendIssuer : IOpenIddictClientHandler<HandleConfigurationResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -67,7 +67,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
         /// Contains the logic responsible for amending the supported
         /// client authentication methods for the providers that require it.
         /// </summary>
-        public class AmendClientAuthenticationMethods : IOpenIddictClientHandler<HandleConfigurationResponseContext>
+        public sealed class AmendClientAuthenticationMethods : IOpenIddictClientHandler<HandleConfigurationResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -108,7 +108,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
         /// Contains the logic responsible for amending the supported
         /// code challenge methods for the providers that require it.
         /// </summary>
-        public class AmendCodeChallengeMethods : IOpenIddictClientHandler<HandleConfigurationResponseContext>
+        public sealed class AmendCodeChallengeMethods : IOpenIddictClientHandler<HandleConfigurationResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -145,7 +145,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
         /// <summary>
         /// Contains the logic responsible for amending the endpoint URIs for the providers that require it.
         /// </summary>
-        public class AmendEndpoints : IOpenIddictClientHandler<HandleConfigurationResponseContext>
+        public sealed class AmendEndpoints : IOpenIddictClientHandler<HandleConfigurationResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.

src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Exchange.cs

@@ -31,7 +31,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
         /// Contains the logic responsible for attaching non-standard query string
         /// parameters to the token request for the providers that require it.
         /// </summary>
-        public class AttachNonStandardQueryStringParameters : IOpenIddictClientHandler<PrepareTokenRequestContext>
+        public sealed class AttachNonStandardQueryStringParameters : IOpenIddictClientHandler<PrepareTokenRequestContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -79,7 +79,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
         /// Contains the logic responsible for attaching non-standard query string
         /// parameters to the token request for the providers that require it.
         /// </summary>
-        public class MapNonStandardResponseParameters : IOpenIddictClientHandler<ExtractTokenResponseContext>
+        public sealed class MapNonStandardResponseParameters : IOpenIddictClientHandler<ExtractTokenResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.

src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Protection.cs

@@ -23,7 +23,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
         /// <summary>
         /// Contains the logic responsible for amending the token validation parameters for the providers that require it.
         /// </summary>
-        public class AmendTokenValidationParameters : IOpenIddictClientHandler<ValidateTokenContext>
+        public sealed class AmendTokenValidationParameters : IOpenIddictClientHandler<ValidateTokenContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.

src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Userinfo.cs

@@ -32,7 +32,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
         /// Contains the logic responsible for attaching the access token
         /// parameter to the request for the providers that require it.
         /// </summary>
-        public class AttachAccessTokenParameter : IOpenIddictClientHandler<PrepareUserinfoRequestContext>
+        public sealed class AttachAccessTokenParameter : IOpenIddictClientHandler<PrepareUserinfoRequestContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -76,7 +76,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
         /// Contains the logic responsible for extracting the userinfo response
         /// from nested JSON nodes (e.g "data") for the providers that require it.
         /// </summary>
-        public class UnwrapUserinfoResponse : IOpenIddictClientHandler<ExtractUserinfoResponseContext>
+        public sealed class UnwrapUserinfoResponse : IOpenIddictClientHandler<ExtractUserinfoResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.

src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs

@@ -42,7 +42,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
     /// Contains the logic responsible for handling non-standard
     /// authorization errors for the providers that require it.
     /// </summary>
-    public class HandleNonStandardFrontchannelErrorResponse : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class HandleNonStandardFrontchannelErrorResponse : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -110,7 +110,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
     /// Contains the logic responsible for amending the client
     /// assertion methods for the providers that require it.
     /// </summary>
-    public class AttachNonStandardClientAssertionTokenClaims : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class AttachNonStandardClientAssertionTokenClaims : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -154,7 +154,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
     /// Contains the logic responsible for attaching custom client credentials
     /// parameters to the token request for the providers that require it.
     /// </summary>
-    public class AttachTokenRequestNonStandardClientCredentials : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class AttachTokenRequestNonStandardClientCredentials : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -199,7 +199,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
     /// Contains the logic responsible for attaching custom client credentials
     /// parameters to the token request for the providers that require it.
     /// </summary>
-    public class AdjustRedirectUriInTokenRequest : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class AdjustRedirectUriInTokenRequest : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -254,7 +254,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
     /// Contains the logic responsible for overriding the set
     /// of required tokens for the providers that require it.
     /// </summary>
-    public class OverrideValidatedBackchannelTokens : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class OverrideValidatedBackchannelTokens : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -295,7 +295,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
     /// Contains the logic responsible for attaching additional parameters
     /// to the userinfo request for the providers that require it.
     /// </summary>
-    public class AttachAdditionalUserinfoRequestParameters : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class AttachAdditionalUserinfoRequestParameters : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -357,7 +357,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
     /// <summary>
     /// Contains the logic responsible for overriding response mode for providers that require it.
     /// </summary>
-    public class OverrideResponseMode : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class OverrideResponseMode : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -397,7 +397,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
     /// Contains the logic responsible for overriding the standard "scope"
     /// parameter for providers that are known to use a non-standard format.
     /// </summary>
-    public class FormatNonStandardScopeParameter : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class FormatNonStandardScopeParameter : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -435,7 +435,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
     /// Contains the logic responsible for persisting the state parameter in the redirect URI for
     /// providers that don't support it but allow arbitrary dynamic parameters in redirect_uri.
     /// </summary>
-    public class IncludeStateParameterInRedirectUri : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class IncludeStateParameterInRedirectUri : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.

src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationOptions.cs

@@ -9,7 +9,7 @@ namespace OpenIddict.Client.WebIntegration;
 /// <summary>
 /// Provides various settings needed to configure the OpenIddict client Web integration.
 /// </summary>
-public partial class OpenIddictClientWebIntegrationOptions
+public sealed partial class OpenIddictClientWebIntegrationOptions
 {
     // Note: provider options are automatically generated by the source generator.
 }

src/OpenIddict.Client/OpenIddictClientBuilder.cs

@@ -20,7 +20,7 @@ namespace Microsoft.Extensions.DependencyInjection;
 /// <summary>
 /// Exposes the necessary methods required to configure the OpenIddict client services.
 /// </summary>
-public class OpenIddictClientBuilder
+public sealed class OpenIddictClientBuilder
 {
     /// <summary>
     /// Initializes a new instance of <see cref="OpenIddictClientBuilder"/>.

src/OpenIddict.Client/OpenIddictClientConfiguration.cs

@@ -14,7 +14,7 @@ namespace OpenIddict.Client;
 /// <summary>
 /// Contains the methods required to ensure that the OpenIddict client configuration is valid.
 /// </summary>
-public class OpenIddictClientConfiguration : IPostConfigureOptions<OpenIddictClientOptions>
+public sealed class OpenIddictClientConfiguration : IPostConfigureOptions<OpenIddictClientOptions>
 {
     private readonly OpenIddictClientService _service;
 

src/OpenIddict.Client/OpenIddictClientDispatcher.cs

@@ -9,7 +9,7 @@ using Microsoft.Extensions.Options;
 
 namespace OpenIddict.Client;
 
-public class OpenIddictClientDispatcher : IOpenIddictClientDispatcher
+public sealed class OpenIddictClientDispatcher : IOpenIddictClientDispatcher
 {
     private readonly ILogger<OpenIddictClientDispatcher> _logger;
     private readonly IOptionsMonitor<OpenIddictClientOptions> _options;

src/OpenIddict.Client/OpenIddictClientEvents.Authentication.cs

@@ -14,7 +14,7 @@ public static partial class OpenIddictClientEvents
     /// Represents an event called for each request to the authorization endpoint to give the user code
     /// a chance to manually update the authorization request before it is sent to the identity provider.
     /// </summary>
-    public class PrepareAuthorizationRequestContext : BaseValidatingContext
+    public sealed class PrepareAuthorizationRequestContext : BaseValidatingContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="PrepareAuthorizationRequestContext"/> class.
@@ -43,7 +43,7 @@ public static partial class OpenIddictClientEvents
     /// Represents an event called for each request to the authorization endpoint
     /// to give the user code a chance to manually send the authorization request.
     /// </summary>
-    public class ApplyAuthorizationRequestContext : BaseValidatingContext
+    public sealed class ApplyAuthorizationRequestContext : BaseValidatingContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="PrepareAuthorizationRequestContext"/> class.
@@ -69,7 +69,7 @@ public static partial class OpenIddictClientEvents
     /// Represents an event called for each request to the redirection endpoint to give the user code
     /// a chance to manually extract the redirection request from the ambient HTTP context.
     /// </summary>
-    public class ExtractRedirectionRequestContext : BaseValidatingContext
+    public sealed class ExtractRedirectionRequestContext : BaseValidatingContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="ExtractRedirectionRequestContext"/> class.
@@ -93,7 +93,7 @@ public static partial class OpenIddictClientEvents
     /// Represents an event called for each request to the redirection endpoint
     /// to determine if the request is valid and should continue to be processed.
     /// </summary>
-    public class ValidateRedirectionRequestContext : BaseValidatingContext
+    public sealed class ValidateRedirectionRequestContext : BaseValidatingContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="ValidateRedirectionRequestContext"/> class.
@@ -130,7 +130,7 @@ public static partial class OpenIddictClientEvents
     /// Represents an event called for each validated redirection request
     /// to allow the user code to decide how the request should be handled.
     /// </summary>
-    public class HandleRedirectionRequestContext : BaseValidatingTicketContext
+    public sealed class HandleRedirectionRequestContext : BaseValidatingTicketContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="HandleRedirectionRequestContext"/> class.
@@ -159,7 +159,7 @@ public static partial class OpenIddictClientEvents
     /// <summary>
     /// Represents an event called before the redirection response is returned to the caller.
     /// </summary>
-    public class ApplyRedirectionResponseContext : BaseRequestContext
+    public sealed class ApplyRedirectionResponseContext : BaseRequestContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="ApplyRedirectionResponseContext"/> class.

src/OpenIddict.Client/OpenIddictClientEvents.Discovery.cs

@@ -14,7 +14,7 @@ public static partial class OpenIddictClientEvents
     /// Represents an event called for each request to the configuration endpoint
     /// to give the user code a chance to add parameters to the configuration request.
     /// </summary>
-    public class PrepareConfigurationRequestContext : BaseExternalContext
+    public sealed class PrepareConfigurationRequestContext : BaseExternalContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="PrepareConfigurationRequestContext"/> class.
@@ -38,7 +38,7 @@ public static partial class OpenIddictClientEvents
     /// Represents an event called for each request to the configuration endpoint
     /// to send the configuration request to the remote authorization server.
     /// </summary>
-    public class ApplyConfigurationRequestContext : BaseExternalContext
+    public sealed class ApplyConfigurationRequestContext : BaseExternalContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="ApplyConfigurationRequestContext"/> class.
@@ -62,7 +62,7 @@ public static partial class OpenIddictClientEvents
     /// Represents an event called for each configuration response
     /// to extract the response parameters from the server response.
     /// </summary>
-    public class ExtractConfigurationResponseContext : BaseExternalContext
+    public sealed class ExtractConfigurationResponseContext : BaseExternalContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="ExtractConfigurationResponseContext"/> class.
@@ -94,7 +94,7 @@ public static partial class OpenIddictClientEvents
     /// <summary>
     /// Represents an event called for each validated configuration response.
     /// </summary>
-    public class HandleConfigurationResponseContext : BaseExternalContext
+    public sealed class HandleConfigurationResponseContext : BaseExternalContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="HandleConfigurationResponseContext"/> class.
@@ -126,7 +126,7 @@ public static partial class OpenIddictClientEvents
     /// Represents an event called for each request to the cryptography endpoint
     /// to give the user code a chance to add parameters to the cryptography request.
     /// </summary>
-    public class PrepareCryptographyRequestContext : BaseExternalContext
+    public sealed class PrepareCryptographyRequestContext : BaseExternalContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="PrepareCryptographyRequestContext"/> class.
@@ -150,7 +150,7 @@ public static partial class OpenIddictClientEvents
     /// Represents an event called for each request to the cryptography endpoint
     /// to send the cryptography request to the remote authorization server.
     /// </summary>
-    public class ApplyCryptographyRequestContext : BaseExternalContext
+    public sealed class ApplyCryptographyRequestContext : BaseExternalContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="ApplyCryptographyRequestContext"/> class.
@@ -174,7 +174,7 @@ public static partial class OpenIddictClientEvents
     /// Represents an event called for each cryptography response
     /// to extract the response parameters from the server response.
     /// </summary>
-    public class ExtractCryptographyResponseContext : BaseExternalContext
+    public sealed class ExtractCryptographyResponseContext : BaseExternalContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="ExtractCryptographyResponseContext"/> class.
@@ -206,7 +206,7 @@ public static partial class OpenIddictClientEvents
     /// <summary>
     /// Represents an event called for each validated cryptography response.
     /// </summary>
-    public class HandleCryptographyResponseContext : BaseExternalContext
+    public sealed class HandleCryptographyResponseContext : BaseExternalContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="HandleCryptographyResponseContext"/> class.

src/OpenIddict.Client/OpenIddictClientEvents.Exchange.cs

@@ -14,7 +14,7 @@ public static partial class OpenIddictClientEvents
     /// Represents an event called for each request to the token endpoint
     /// to give the user code a chance to add parameters to the token request.
     /// </summary>
-    public class PrepareTokenRequestContext : BaseExternalContext
+    public sealed class PrepareTokenRequestContext : BaseExternalContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="PrepareTokenRequestContext"/> class.
@@ -48,7 +48,7 @@ public static partial class OpenIddictClientEvents
     /// Represents an event called for each request to the token endpoint
     /// to send the token request to the remote authorization server.
     /// </summary>
-    public class ApplyTokenRequestContext : BaseExternalContext
+    public sealed class ApplyTokenRequestContext : BaseExternalContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="ApplyTokenRequestContext"/> class.
@@ -72,7 +72,7 @@ public static partial class OpenIddictClientEvents
     /// Represents an event called for each token response
     /// to extract the response parameters from the server response.
     /// </summary>
-    public class ExtractTokenResponseContext : BaseExternalContext
+    public sealed class ExtractTokenResponseContext : BaseExternalContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="ExtractTokenResponseContext"/> class.
@@ -104,7 +104,7 @@ public static partial class OpenIddictClientEvents
     /// <summary>
     /// Represents an event called for each token response.
     /// </summary>
-    public class HandleTokenResponseContext : BaseExternalContext
+    public sealed class HandleTokenResponseContext : BaseExternalContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="HandleTokenResponseContext"/> class.

src/OpenIddict.Client/OpenIddictClientEvents.Protection.cs

@@ -15,7 +15,7 @@ public static partial class OpenIddictClientEvents
     /// <summary>
     /// Represents an event called when generating a token.
     /// </summary>
-    public class GenerateTokenContext : BaseValidatingContext
+    public sealed class GenerateTokenContext : BaseValidatingContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="GenerateTokenContext"/> class.
@@ -85,7 +85,7 @@ public static partial class OpenIddictClientEvents
     /// <summary>
     /// Represents an event called when validating a token.
     /// </summary>
-    public class ValidateTokenContext : BaseValidatingContext
+    public sealed class ValidateTokenContext : BaseValidatingContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="ValidateTokenContext"/> class.

src/OpenIddict.Client/OpenIddictClientEvents.Session.cs

@@ -14,7 +14,7 @@ public static partial class OpenIddictClientEvents
     /// Represents an event called for each request to the logout endpoint to give the user code
     /// a chance to manually update the logout request before it is sent to the identity provider.
     /// </summary>
-    public class PrepareLogoutRequestContext : BaseValidatingContext
+    public sealed class PrepareLogoutRequestContext : BaseValidatingContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="PrepareLogoutRequestContext"/> class.
@@ -43,7 +43,7 @@ public static partial class OpenIddictClientEvents
     /// Represents an event called for each request to the logout endpoint
     /// to give the user code a chance to manually send the logout request.
     /// </summary>
-    public class ApplyLogoutRequestContext : BaseValidatingContext
+    public sealed class ApplyLogoutRequestContext : BaseValidatingContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="PrepareLogoutRequestContext"/> class.
@@ -69,7 +69,7 @@ public static partial class OpenIddictClientEvents
     /// Represents an event called for each request to the post-logout redirection endpoint to give the user code
     /// a chance to manually extract the redirection request from the ambient HTTP context.
     /// </summary>
-    public class ExtractPostLogoutRedirectionRequestContext : BaseValidatingContext
+    public sealed class ExtractPostLogoutRedirectionRequestContext : BaseValidatingContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="ExtractPostLogoutRedirectionRequestContext"/> class.
@@ -93,7 +93,7 @@ public static partial class OpenIddictClientEvents
     /// Represents an event called for each request to the post-logout redirection endpoint
     /// to determine if the request is valid and should continue to be processed.
     /// </summary>
-    public class ValidatePostLogoutRedirectionRequestContext : BaseValidatingContext
+    public sealed class ValidatePostLogoutRedirectionRequestContext : BaseValidatingContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="ValidatePostLogoutRedirectionRequestContext"/> class.
@@ -130,7 +130,7 @@ public static partial class OpenIddictClientEvents
     /// Represents an event called for each validated redirection request
     /// to allow the user code to decide how the request should be handled.
     /// </summary>
-    public class HandlePostLogoutRedirectionRequestContext : BaseValidatingTicketContext
+    public sealed class HandlePostLogoutRedirectionRequestContext : BaseValidatingTicketContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="HandlePostLogoutRedirectionRequestContext"/> class.
@@ -159,7 +159,7 @@ public static partial class OpenIddictClientEvents
     /// <summary>
     /// Represents an event called before the redirection response is returned to the caller.
     /// </summary>
-    public class ApplyPostLogoutRedirectionResponseContext : BaseRequestContext
+    public sealed class ApplyPostLogoutRedirectionResponseContext : BaseRequestContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="ApplyPostLogoutRedirectionResponseContext"/> class.

src/OpenIddict.Client/OpenIddictClientEvents.Userinfo.cs

@@ -14,7 +14,7 @@ public static partial class OpenIddictClientEvents
     /// Represents an event called for each request to the userinfo endpoint
     /// to give the user code a chance to add parameters to the userinfo request.
     /// </summary>
-    public class PrepareUserinfoRequestContext : BaseExternalContext
+    public sealed class PrepareUserinfoRequestContext : BaseExternalContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="PrepareUserinfoRequestContext"/> class.
@@ -38,7 +38,7 @@ public static partial class OpenIddictClientEvents
     /// Represents an event called for each request to the userinfo endpoint
     /// to send the userinfo request to the remote authorization server.
     /// </summary>
-    public class ApplyUserinfoRequestContext : BaseExternalContext
+    public sealed class ApplyUserinfoRequestContext : BaseExternalContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="ApplyUserinfoRequestContext"/> class.
@@ -62,7 +62,7 @@ public static partial class OpenIddictClientEvents
     /// Represents an event called for each userinfo response
     /// to extract the response parameters from the server response.
     /// </summary>
-    public class ExtractUserinfoResponseContext : BaseExternalContext
+    public sealed class ExtractUserinfoResponseContext : BaseExternalContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="ExtractUserinfoResponseContext"/> class.
@@ -99,7 +99,7 @@ public static partial class OpenIddictClientEvents
     /// <summary>
     /// Represents an event called for each userinfo response.
     /// </summary>
-    public class HandleUserinfoResponseContext : BaseExternalContext
+    public sealed class HandleUserinfoResponseContext : BaseExternalContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="HandleUserinfoResponseContext"/> class.

src/OpenIddict.Client/OpenIddictClientEvents.cs

@@ -209,7 +209,7 @@ public static partial class OpenIddictClientEvents
     /// <summary>
     /// Represents an event called when processing an incoming request.
     /// </summary>
-    public class ProcessRequestContext : BaseValidatingContext
+    public sealed class ProcessRequestContext : BaseValidatingContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="ProcessRequestContext"/> class.
@@ -223,7 +223,7 @@ public static partial class OpenIddictClientEvents
     /// <summary>
     /// Represents an event called when processing an errored response.
     /// </summary>
-    public class ProcessErrorContext : BaseRequestContext
+    public sealed class ProcessErrorContext : BaseRequestContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="ProcessErrorContext"/> class.
@@ -275,7 +275,7 @@ public static partial class OpenIddictClientEvents
     /// <summary>
     /// Represents an event called when processing an authentication operation.
     /// </summary>
-    public class ProcessAuthenticationContext : BaseValidatingContext
+    public sealed class ProcessAuthenticationContext : BaseValidatingContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="ProcessAuthenticationContext"/> class.
@@ -671,7 +671,7 @@ public static partial class OpenIddictClientEvents
     /// <summary>
     /// Represents an event called when processing a challenge response.
     /// </summary>
-    public class ProcessChallengeContext : BaseValidatingTicketContext
+    public sealed class ProcessChallengeContext : BaseValidatingTicketContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="ProcessChallengeContext"/> class.
@@ -828,7 +828,7 @@ public static partial class OpenIddictClientEvents
     /// <summary>
     /// Represents an event called when processing a sign-out response.
     /// </summary>
-    public class ProcessSignOutContext : BaseValidatingTicketContext
+    public sealed class ProcessSignOutContext : BaseValidatingTicketContext
     {
         /// <summary>
         /// Creates a new instance of the <see cref="ProcessSignOutContext"/> class.

src/OpenIddict.Client/OpenIddictClientFactory.cs

@@ -9,7 +9,7 @@ using Microsoft.Extensions.Options;
 
 namespace OpenIddict.Client;
 
-public class OpenIddictClientFactory : IOpenIddictClientFactory
+public sealed class OpenIddictClientFactory : IOpenIddictClientFactory
 {
     private readonly ILogger<OpenIddictClientDispatcher> _logger;
     private readonly IOptionsMonitor<OpenIddictClientOptions> _options;

src/OpenIddict.Client/OpenIddictClientHandler.cs

@@ -10,7 +10,7 @@ namespace OpenIddict.Client;
 /// Represents a handler able to process <typeparamref name="TContext"/> events.
 /// </summary>
 /// <typeparam name="TContext">The type of the events handled by this instance.</typeparam>
-public class OpenIddictClientHandler<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseContext
+public sealed class OpenIddictClientHandler<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseContext
 {
     private readonly Func<TContext, ValueTask> _handler;
 

src/OpenIddict.Client/OpenIddictClientHandlerDescriptor.cs

@@ -15,7 +15,7 @@ namespace OpenIddict.Client;
 /// Represents an immutable descriptor of an OpenIddict client event handler.
 /// </summary>
 [DebuggerDisplay("{ServiceDescriptor?.ServiceType}")]
-public class OpenIddictClientHandlerDescriptor
+public sealed class OpenIddictClientHandlerDescriptor
 {
     /// <summary>
     /// Creates a new instance of the <see cref="OpenIddictClientHandlerDescriptor"/> class.
@@ -60,7 +60,7 @@ public class OpenIddictClientHandlerDescriptor
     /// Contains methods allowing to build a descriptor instance.
     /// </summary>
     /// <typeparam name="TContext">The event context type.</typeparam>
-    public class Builder<TContext> where TContext : BaseContext
+    public sealed class Builder<TContext> where TContext : BaseContext
     {
         private ServiceDescriptor? _descriptor;
         private readonly List<Type> _filters = new();

src/OpenIddict.Client/OpenIddictClientHandlerFilters.cs

@@ -14,7 +14,7 @@ public static class OpenIddictClientHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if no authorization code is validated.
     /// </summary>
-    public class RequireAuthorizationCodeValidated : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
+    public sealed class RequireAuthorizationCodeValidated : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
     {
         public ValueTask<bool> IsActiveAsync(ProcessAuthenticationContext context)
         {
@@ -30,7 +30,7 @@ public static class OpenIddictClientHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if no backchannel access token is validated.
     /// </summary>
-    public class RequireBackchannelAccessTokenValidated : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
+    public sealed class RequireBackchannelAccessTokenValidated : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
     {
         public ValueTask<bool> IsActiveAsync(ProcessAuthenticationContext context)
         {
@@ -46,7 +46,7 @@ public static class OpenIddictClientHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if no backchannel identity token principal is available.
     /// </summary>
-    public class RequireBackchannelIdentityTokenPrincipal : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
+    public sealed class RequireBackchannelIdentityTokenPrincipal : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
     {
         public ValueTask<bool> IsActiveAsync(ProcessAuthenticationContext context)
         {
@@ -62,7 +62,7 @@ public static class OpenIddictClientHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if no backchannel identity token is validated.
     /// </summary>
-    public class RequireBackchannelIdentityTokenValidated : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
+    public sealed class RequireBackchannelIdentityTokenValidated : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
     {
         public ValueTask<bool> IsActiveAsync(ProcessAuthenticationContext context)
         {
@@ -78,7 +78,7 @@ public static class OpenIddictClientHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if no client assertion token is generated.
     /// </summary>
-    public class RequireClientAssertionTokenGenerated : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
+    public sealed class RequireClientAssertionTokenGenerated : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
     {
         public ValueTask<bool> IsActiveAsync(ProcessAuthenticationContext context)
         {
@@ -94,7 +94,7 @@ public static class OpenIddictClientHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if no frontchannel access token is validated.
     /// </summary>
-    public class RequireFrontchannelAccessTokenValidated : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
+    public sealed class RequireFrontchannelAccessTokenValidated : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
     {
         public ValueTask<bool> IsActiveAsync(ProcessAuthenticationContext context)
         {
@@ -110,7 +110,7 @@ public static class OpenIddictClientHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if no frontchannel identity token principal is available.
     /// </summary>
-    public class RequireFrontchannelIdentityTokenPrincipal : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
+    public sealed class RequireFrontchannelIdentityTokenPrincipal : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
     {
         public ValueTask<bool> IsActiveAsync(ProcessAuthenticationContext context)
         {
@@ -126,7 +126,7 @@ public static class OpenIddictClientHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if no frontchannel identity token is validated.
     /// </summary>
-    public class RequireFrontchannelIdentityTokenValidated : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
+    public sealed class RequireFrontchannelIdentityTokenValidated : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
     {
         public ValueTask<bool> IsActiveAsync(ProcessAuthenticationContext context)
         {
@@ -143,7 +143,7 @@ public static class OpenIddictClientHandlerFilters
     /// Represents a filter that excludes the associated handlers if the challenge
     /// doesn't correspond to an authorization code or implicit grant operation.
     /// </summary>
-    public class RequireInteractiveGrantType : IOpenIddictClientHandlerFilter<ProcessChallengeContext>
+    public sealed class RequireInteractiveGrantType : IOpenIddictClientHandlerFilter<ProcessChallengeContext>
     {
         public ValueTask<bool> IsActiveAsync(ProcessChallengeContext context)
         {
@@ -159,7 +159,7 @@ public static class OpenIddictClientHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if the selected token format is not JSON Web Token.
     /// </summary>
-    public class RequireJsonWebTokenFormat : IOpenIddictClientHandlerFilter<GenerateTokenContext>
+    public sealed class RequireJsonWebTokenFormat : IOpenIddictClientHandlerFilter<GenerateTokenContext>
     {
         public ValueTask<bool> IsActiveAsync(GenerateTokenContext context)
         {
@@ -175,7 +175,7 @@ public static class OpenIddictClientHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if no login state token is generated.
     /// </summary>
-    public class RequireLoginStateTokenGenerated : IOpenIddictClientHandlerFilter<ProcessChallengeContext>
+    public sealed class RequireLoginStateTokenGenerated : IOpenIddictClientHandlerFilter<ProcessChallengeContext>
     {
         public ValueTask<bool> IsActiveAsync(ProcessChallengeContext context)
         {
@@ -191,7 +191,7 @@ public static class OpenIddictClientHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if no logout state token is generated.
     /// </summary>
-    public class RequireLogoutStateTokenGenerated : IOpenIddictClientHandlerFilter<ProcessSignOutContext>
+    public sealed class RequireLogoutStateTokenGenerated : IOpenIddictClientHandlerFilter<ProcessSignOutContext>
     {
         public ValueTask<bool> IsActiveAsync(ProcessSignOutContext context)
         {
@@ -207,7 +207,7 @@ public static class OpenIddictClientHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if the request is not a post-logout redirection request.
     /// </summary>
-    public class RequirePostLogoutRedirectionRequest : IOpenIddictClientHandlerFilter<BaseContext>
+    public sealed class RequirePostLogoutRedirectionRequest : IOpenIddictClientHandlerFilter<BaseContext>
     {
         public ValueTask<bool> IsActiveAsync(BaseContext context)
         {
@@ -223,7 +223,7 @@ public static class OpenIddictClientHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if the request is not a redirection request.
     /// </summary>
-    public class RequireRedirectionRequest : IOpenIddictClientHandlerFilter<BaseContext>
+    public sealed class RequireRedirectionRequest : IOpenIddictClientHandlerFilter<BaseContext>
     {
         public ValueTask<bool> IsActiveAsync(BaseContext context)
         {
@@ -239,7 +239,7 @@ public static class OpenIddictClientHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if no refresh token is validated.
     /// </summary>
-    public class RequireRefreshTokenValidated : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
+    public sealed class RequireRefreshTokenValidated : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
     {
         public ValueTask<bool> IsActiveAsync(ProcessAuthenticationContext context)
         {
@@ -255,7 +255,7 @@ public static class OpenIddictClientHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if no state token principal is available.
     /// </summary>
-    public class RequireStateTokenPrincipal : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
+    public sealed class RequireStateTokenPrincipal : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
     {
         public ValueTask<bool> IsActiveAsync(ProcessAuthenticationContext context)
         {
@@ -271,7 +271,7 @@ public static class OpenIddictClientHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if no state token is validated.
     /// </summary>
-    public class RequireStateTokenValidated : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
+    public sealed class RequireStateTokenValidated : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
     {
         public ValueTask<bool> IsActiveAsync(ProcessAuthenticationContext context)
         {
@@ -287,7 +287,7 @@ public static class OpenIddictClientHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if no token entry is created in the database.
     /// </summary>
-    public class RequireTokenEntryCreated : IOpenIddictClientHandlerFilter<GenerateTokenContext>
+    public sealed class RequireTokenEntryCreated : IOpenIddictClientHandlerFilter<GenerateTokenContext>
     {
         public ValueTask<bool> IsActiveAsync(GenerateTokenContext context)
         {
@@ -303,7 +303,7 @@ public static class OpenIddictClientHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if the token payload is not persisted in the database.
     /// </summary>
-    public class RequireTokenPayloadPersisted : IOpenIddictClientHandlerFilter<GenerateTokenContext>
+    public sealed class RequireTokenPayloadPersisted : IOpenIddictClientHandlerFilter<GenerateTokenContext>
     {
         public ValueTask<bool> IsActiveAsync(GenerateTokenContext context)
         {
@@ -319,7 +319,7 @@ public static class OpenIddictClientHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if no token request is expected to be sent.
     /// </summary>
-    public class RequireTokenRequest : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
+    public sealed class RequireTokenRequest : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
     {
         public ValueTask<bool> IsActiveAsync(ProcessAuthenticationContext context)
         {
@@ -335,7 +335,7 @@ public static class OpenIddictClientHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if token storage was not enabled.
     /// </summary>
-    public class RequireTokenStorageEnabled : IOpenIddictClientHandlerFilter<BaseContext>
+    public sealed class RequireTokenStorageEnabled : IOpenIddictClientHandlerFilter<BaseContext>
     {
         public ValueTask<bool> IsActiveAsync(BaseContext context)
         {
@@ -351,7 +351,7 @@ public static class OpenIddictClientHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if no userinfo request is expected to be sent.
     /// </summary>
-    public class RequireUserinfoRequest : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
+    public sealed class RequireUserinfoRequest : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
     {
         public ValueTask<bool> IsActiveAsync(ProcessAuthenticationContext context)
         {
@@ -367,7 +367,7 @@ public static class OpenIddictClientHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if no userinfo token is extracted.
     /// </summary>
-    public class RequireUserinfoTokenExtracted : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
+    public sealed class RequireUserinfoTokenExtracted : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
     {
         public ValueTask<bool> IsActiveAsync(ProcessAuthenticationContext context)
         {
@@ -383,7 +383,7 @@ public static class OpenIddictClientHandlerFilters
     /// <summary>
     /// Represents a filter that excludes the associated handlers if no userinfo token principal is available.
     /// </summary>
-    public class RequireUserinfoTokenPrincipal : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
+    public sealed class RequireUserinfoTokenPrincipal : IOpenIddictClientHandlerFilter<ProcessAuthenticationContext>
     {
         public ValueTask<bool> IsActiveAsync(ProcessAuthenticationContext context)
         {

src/OpenIddict.Client/OpenIddictClientHandlers.Authentication.cs

@@ -47,7 +47,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for preparing authorization requests and invoking the corresponding event handlers.
         /// </summary>
-        public class PrepareAuthorizationRequest : IOpenIddictClientHandler<ProcessChallengeContext>
+        public sealed class PrepareAuthorizationRequest : IOpenIddictClientHandler<ProcessChallengeContext>
         {
             private readonly IOpenIddictClientDispatcher _dispatcher;
 
@@ -92,7 +92,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for applying authorization requests and invoking the corresponding event handlers.
         /// </summary>
-        public class ApplyAuthorizationRequest : IOpenIddictClientHandler<ProcessChallengeContext>
+        public sealed class ApplyAuthorizationRequest : IOpenIddictClientHandler<ProcessChallengeContext>
         {
             private readonly IOpenIddictClientDispatcher _dispatcher;
 
@@ -137,7 +137,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for attaching the address of the authorization request to the request.
         /// </summary>
-        public class AttachAuthorizationEndpoint : IOpenIddictClientHandler<ApplyAuthorizationRequestContext>
+        public sealed class AttachAuthorizationEndpoint : IOpenIddictClientHandler<ApplyAuthorizationRequestContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -172,7 +172,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for extracting redirection requests and invoking the corresponding event handlers.
         /// </summary>
-        public class ExtractRedirectionRequest : IOpenIddictClientHandler<ProcessRequestContext>
+        public sealed class ExtractRedirectionRequest : IOpenIddictClientHandler<ProcessRequestContext>
         {
             private readonly IOpenIddictClientDispatcher _dispatcher;
 
@@ -233,7 +233,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for validating redirection requests and invoking the corresponding event handlers.
         /// </summary>
-        public class ValidateRedirectionRequest : IOpenIddictClientHandler<ProcessRequestContext>
+        public sealed class ValidateRedirectionRequest : IOpenIddictClientHandler<ProcessRequestContext>
         {
             private readonly IOpenIddictClientDispatcher _dispatcher;
 
@@ -290,7 +290,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for handling redirection requests and invoking the corresponding event handlers.
         /// </summary>
-        public class HandleRedirectionRequest : IOpenIddictClientHandler<ProcessRequestContext>
+        public sealed class HandleRedirectionRequest : IOpenIddictClientHandler<ProcessRequestContext>
         {
             private readonly IOpenIddictClientDispatcher _dispatcher;
 
@@ -346,7 +346,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for processing redirection responses and invoking the corresponding event handlers.
         /// </summary>
-        public class ApplyRedirectionResponse<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseRequestContext
+        public sealed class ApplyRedirectionResponse<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseRequestContext
         {
             private readonly IOpenIddictClientDispatcher _dispatcher;
 
@@ -395,7 +395,7 @@ public static partial class OpenIddictClientHandlers
         /// Contains the logic responsible for removing the response mode parameter from the
         /// request if it corresponds to the default mode for the selected response type.
         /// </summary>
-        public class NormalizeResponseModeParameter : IOpenIddictClientHandler<PrepareAuthorizationRequestContext>
+        public sealed class NormalizeResponseModeParameter : IOpenIddictClientHandler<PrepareAuthorizationRequestContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -440,7 +440,7 @@ public static partial class OpenIddictClientHandlers
         /// Contains the logic responsible for rejecting redirection requests that don't
         /// specify a valid access token, authorization code, identity token or state token.
         /// </summary>
-        public class ValidateTokens : IOpenIddictClientHandler<ValidateRedirectionRequestContext>
+        public sealed class ValidateTokens : IOpenIddictClientHandler<ValidateRedirectionRequestContext>
         {
             private readonly IOpenIddictClientDispatcher _dispatcher;
 

src/OpenIddict.Client/OpenIddictClientHandlers.Discovery.cs

@@ -45,7 +45,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for validating the well-known parameters contained in the configuration response.
         /// </summary>
-        public class ValidateWellKnownConfigurationParameters : IOpenIddictClientHandler<HandleConfigurationResponseContext>
+        public sealed class ValidateWellKnownConfigurationParameters : IOpenIddictClientHandler<HandleConfigurationResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -138,7 +138,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for surfacing potential errors from the configuration response.
         /// </summary>
-        public class HandleConfigurationErrorResponse : IOpenIddictClientHandler<HandleConfigurationResponseContext>
+        public sealed class HandleConfigurationErrorResponse : IOpenIddictClientHandler<HandleConfigurationResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -181,7 +181,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for extracting the issuer from the discovery document.
         /// </summary>
-        public class ValidateIssuer : IOpenIddictClientHandler<HandleConfigurationResponseContext>
+        public sealed class ValidateIssuer : IOpenIddictClientHandler<HandleConfigurationResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -244,7 +244,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for extracting the authorization endpoint address from the discovery document.
         /// </summary>
-        public class ExtractAuthorizationEndpoint : IOpenIddictClientHandler<HandleConfigurationResponseContext>
+        public sealed class ExtractAuthorizationEndpoint : IOpenIddictClientHandler<HandleConfigurationResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -296,7 +296,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for extracting the JWKS endpoint address from the discovery document.
         /// </summary>
-        public class ExtractCryptographyEndpoint : IOpenIddictClientHandler<HandleConfigurationResponseContext>
+        public sealed class ExtractCryptographyEndpoint : IOpenIddictClientHandler<HandleConfigurationResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -348,7 +348,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for extracting the logout endpoint address from the discovery document.
         /// </summary>
-        public class ExtractLogoutEndpoint : IOpenIddictClientHandler<HandleConfigurationResponseContext>
+        public sealed class ExtractLogoutEndpoint : IOpenIddictClientHandler<HandleConfigurationResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -391,7 +391,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for extracting the token endpoint address from the discovery document.
         /// </summary>
-        public class ExtractTokenEndpoint : IOpenIddictClientHandler<HandleConfigurationResponseContext>
+        public sealed class ExtractTokenEndpoint : IOpenIddictClientHandler<HandleConfigurationResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -434,7 +434,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for extracting the userinfo endpoint address from the discovery document.
         /// </summary>
-        public class ExtractUserinfoEndpoint : IOpenIddictClientHandler<HandleConfigurationResponseContext>
+        public sealed class ExtractUserinfoEndpoint : IOpenIddictClientHandler<HandleConfigurationResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -477,7 +477,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for extracting the supported grant types from the discovery document.
         /// </summary>
-        public class ExtractGrantTypes : IOpenIddictClientHandler<HandleConfigurationResponseContext>
+        public sealed class ExtractGrantTypes : IOpenIddictClientHandler<HandleConfigurationResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -519,7 +519,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for extracting the supported response types from the discovery document.
         /// </summary>
-        public class ExtractResponseModes : IOpenIddictClientHandler<HandleConfigurationResponseContext>
+        public sealed class ExtractResponseModes : IOpenIddictClientHandler<HandleConfigurationResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -561,7 +561,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for extracting the supported response types from the discovery document.
         /// </summary>
-        public class ExtractResponseTypes : IOpenIddictClientHandler<HandleConfigurationResponseContext>
+        public sealed class ExtractResponseTypes : IOpenIddictClientHandler<HandleConfigurationResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -603,7 +603,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for extracting the supported code challenge methods from the discovery document.
         /// </summary>
-        public class ExtractCodeChallengeMethods : IOpenIddictClientHandler<HandleConfigurationResponseContext>
+        public sealed class ExtractCodeChallengeMethods : IOpenIddictClientHandler<HandleConfigurationResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -645,7 +645,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for extracting the supported scopes from the discovery document.
         /// </summary>
-        public class ExtractScopes : IOpenIddictClientHandler<HandleConfigurationResponseContext>
+        public sealed class ExtractScopes : IOpenIddictClientHandler<HandleConfigurationResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -688,7 +688,7 @@ public static partial class OpenIddictClientHandlers
         /// Contains the logic responsible for extracting the flag indicating
         /// whether the "iss" parameter is supported from the discovery document.
         /// </summary>
-        public class ExtractIssuerParameterRequirement : IOpenIddictClientHandler<HandleConfigurationResponseContext>
+        public sealed class ExtractIssuerParameterRequirement : IOpenIddictClientHandler<HandleConfigurationResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -719,7 +719,7 @@ public static partial class OpenIddictClientHandlers
         /// Contains the logic responsible for extracting the authentication methods
         /// supported by the token endpoint from the discovery document.
         /// </summary>
-        public class ExtractTokenEndpointClientAuthenticationMethods : IOpenIddictClientHandler<HandleConfigurationResponseContext>
+        public sealed class ExtractTokenEndpointClientAuthenticationMethods : IOpenIddictClientHandler<HandleConfigurationResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -761,7 +761,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for validating the well-known parameters contained in the JWKS response.
         /// </summary>
-        public class ValidateWellKnownCryptographyParameters : IOpenIddictClientHandler<HandleCryptographyResponseContext>
+        public sealed class ValidateWellKnownCryptographyParameters : IOpenIddictClientHandler<HandleCryptographyResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -835,7 +835,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for surfacing potential errors from the cryptography response.
         /// </summary>
-        public class HandleCryptographyErrorResponse : IOpenIddictClientHandler<HandleCryptographyResponseContext>
+        public sealed class HandleCryptographyErrorResponse : IOpenIddictClientHandler<HandleCryptographyResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -878,7 +878,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for extracting the signing keys from the JWKS document.
         /// </summary>
-        public class ExtractSigningKeys : IOpenIddictClientHandler<HandleCryptographyResponseContext>
+        public sealed class ExtractSigningKeys : IOpenIddictClientHandler<HandleCryptographyResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.

src/OpenIddict.Client/OpenIddictClientHandlers.Exchange.cs

@@ -24,7 +24,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for validating the well-known parameters contained in the token response.
         /// </summary>
-        public class ValidateWellKnownParameters : IOpenIddictClientHandler<HandleTokenResponseContext>
+        public sealed class ValidateWellKnownParameters : IOpenIddictClientHandler<HandleTokenResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -88,7 +88,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for surfacing potential errors from the token response.
         /// </summary>
-        public class HandleErrorResponse : IOpenIddictClientHandler<HandleTokenResponseContext>
+        public sealed class HandleErrorResponse : IOpenIddictClientHandler<HandleTokenResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.

src/OpenIddict.Client/OpenIddictClientHandlers.Protection.cs

@@ -44,7 +44,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for resolving the validation parameters used to validate tokens.
         /// </summary>
-        public class ResolveTokenValidationParameters : IOpenIddictClientHandler<ValidateTokenContext>
+        public sealed class ResolveTokenValidationParameters : IOpenIddictClientHandler<ValidateTokenContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -150,7 +150,7 @@ public static partial class OpenIddictClientHandlers
         /// Contains the logic responsible for validating reference token identifiers.
         /// Note: this handler is not used when token storage is disabled.
         /// </summary>
-        public class ValidateReferenceTokenIdentifier : IOpenIddictClientHandler<ValidateTokenContext>
+        public sealed class ValidateReferenceTokenIdentifier : IOpenIddictClientHandler<ValidateTokenContext>
         {
             private readonly IOpenIddictTokenManager _tokenManager;
 
@@ -217,7 +217,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for validating tokens generated using IdentityModel.
         /// </summary>
-        public class ValidateIdentityModelToken : IOpenIddictClientHandler<ValidateTokenContext>
+        public sealed class ValidateIdentityModelToken : IOpenIddictClientHandler<ValidateTokenContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -341,7 +341,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for mapping internal claims used by OpenIddict.
         /// </summary>
-        public class MapInternalClaims : IOpenIddictClientHandler<ValidateTokenContext>
+        public sealed class MapInternalClaims : IOpenIddictClientHandler<ValidateTokenContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -399,7 +399,7 @@ public static partial class OpenIddictClientHandlers
         /// Contains the logic responsible for restoring the properties associated with a reference token entry.
         /// Note: this handler is not used when token storage is disabled.
         /// </summary>
-        public class RestoreReferenceTokenProperties : IOpenIddictClientHandler<ValidateTokenContext>
+        public sealed class RestoreReferenceTokenProperties : IOpenIddictClientHandler<ValidateTokenContext>
         {
             private readonly IOpenIddictTokenManager _tokenManager;
 
@@ -446,7 +446,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for rejecting authentication demands for which no valid principal was resolved.
         /// </summary>
-        public class ValidatePrincipal : IOpenIddictClientHandler<ValidateTokenContext>
+        public sealed class ValidatePrincipal : IOpenIddictClientHandler<ValidateTokenContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -498,7 +498,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for rejecting authentication demands that use an expired token.
         /// </summary>
-        public class ValidateExpirationDate : IOpenIddictClientHandler<ValidateTokenContext>
+        public sealed class ValidateExpirationDate : IOpenIddictClientHandler<ValidateTokenContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -540,7 +540,7 @@ public static partial class OpenIddictClientHandlers
         /// associated token entry is no longer valid (e.g was revoked).
         /// Note: this handler is not used when token storage is disabled.
         /// </summary>
-        public class ValidateTokenEntry : IOpenIddictClientHandler<ValidateTokenContext>
+        public sealed class ValidateTokenEntry : IOpenIddictClientHandler<ValidateTokenContext>
         {
             private readonly IOpenIddictTokenManager _tokenManager;
 
@@ -634,7 +634,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for resolving the signing and encryption credentials used to protect tokens.
         /// </summary>
-        public class AttachSecurityCredentials : IOpenIddictClientHandler<GenerateTokenContext>
+        public sealed class AttachSecurityCredentials : IOpenIddictClientHandler<GenerateTokenContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -685,7 +685,7 @@ public static partial class OpenIddictClientHandlers
         /// Contains the logic responsible for creating a token entry.
         /// Note: this handler is not used when token storage is disabled.
         /// </summary>
-        public class CreateTokenEntry : IOpenIddictClientHandler<GenerateTokenContext>
+        public sealed class CreateTokenEntry : IOpenIddictClientHandler<GenerateTokenContext>
         {
             private readonly IOpenIddictTokenManager _tokenManager;
 
@@ -742,7 +742,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for generating a token using IdentityModel.
         /// </summary>
-        public class GenerateIdentityModelToken : IOpenIddictClientHandler<GenerateTokenContext>
+        public sealed class GenerateIdentityModelToken : IOpenIddictClientHandler<GenerateTokenContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -840,7 +840,7 @@ public static partial class OpenIddictClientHandlers
         /// Contains the logic responsible for converting the token to a reference token.
         /// Note: this handler is not used when token storage is disabled.
         /// </summary>
-        public class ConvertReferenceToken : IOpenIddictClientHandler<GenerateTokenContext>
+        public sealed class ConvertReferenceToken : IOpenIddictClientHandler<GenerateTokenContext>
         {
             private readonly IOpenIddictTokenManager _tokenManager;
 

src/OpenIddict.Client/OpenIddictClientHandlers.Session.cs

@@ -42,7 +42,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for preparing authorization requests and invoking the corresponding event handlers.
         /// </summary>
-        public class PrepareLogoutRequest : IOpenIddictClientHandler<ProcessSignOutContext>
+        public sealed class PrepareLogoutRequest : IOpenIddictClientHandler<ProcessSignOutContext>
         {
             private readonly IOpenIddictClientDispatcher _dispatcher;
 
@@ -86,7 +86,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for applying authorization requests and invoking the corresponding event handlers.
         /// </summary>
-        public class ApplyLogoutRequest : IOpenIddictClientHandler<ProcessSignOutContext>
+        public sealed class ApplyLogoutRequest : IOpenIddictClientHandler<ProcessSignOutContext>
         {
             private readonly IOpenIddictClientDispatcher _dispatcher;
 
@@ -130,7 +130,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for attaching the address of the authorization request to the request.
         /// </summary>
-        public class AttachLogoutEndpoint : IOpenIddictClientHandler<ApplyLogoutRequestContext>
+        public sealed class AttachLogoutEndpoint : IOpenIddictClientHandler<ApplyLogoutRequestContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -165,7 +165,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for extracting redirection requests and invoking the corresponding event handlers.
         /// </summary>
-        public class ExtractPostLogoutRedirectionRequest : IOpenIddictClientHandler<ProcessRequestContext>
+        public sealed class ExtractPostLogoutRedirectionRequest : IOpenIddictClientHandler<ProcessRequestContext>
         {
             private readonly IOpenIddictClientDispatcher _dispatcher;
 
@@ -226,7 +226,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for validating redirection requests and invoking the corresponding event handlers.
         /// </summary>
-        public class ValidatePostLogoutRedirectionRequest : IOpenIddictClientHandler<ProcessRequestContext>
+        public sealed class ValidatePostLogoutRedirectionRequest : IOpenIddictClientHandler<ProcessRequestContext>
         {
             private readonly IOpenIddictClientDispatcher _dispatcher;
 
@@ -283,7 +283,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for handling redirection requests and invoking the corresponding event handlers.
         /// </summary>
-        public class HandlePostLogoutRedirectionRequest : IOpenIddictClientHandler<ProcessRequestContext>
+        public sealed class HandlePostLogoutRedirectionRequest : IOpenIddictClientHandler<ProcessRequestContext>
         {
             private readonly IOpenIddictClientDispatcher _dispatcher;
 
@@ -339,7 +339,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for processing redirection responses and invoking the corresponding event handlers.
         /// </summary>
-        public class ApplyPostLogoutRedirectionResponse<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseRequestContext
+        public sealed class ApplyPostLogoutRedirectionResponse<TContext> : IOpenIddictClientHandler<TContext> where TContext : BaseRequestContext
         {
             private readonly IOpenIddictClientDispatcher _dispatcher;
 
@@ -388,7 +388,7 @@ public static partial class OpenIddictClientHandlers
         /// Contains the logic responsible for rejecting redirection requests that don't
         /// specify a valid access token, authorization code, identity token or state token.
         /// </summary>
-        public class ValidateTokens : IOpenIddictClientHandler<ValidatePostLogoutRedirectionRequestContext>
+        public sealed class ValidateTokens : IOpenIddictClientHandler<ValidatePostLogoutRedirectionRequestContext>
         {
             private readonly IOpenIddictClientDispatcher _dispatcher;
 

src/OpenIddict.Client/OpenIddictClientHandlers.Userinfo.cs

@@ -26,7 +26,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for validating the well-known parameters contained in the userinfo response.
         /// </summary>
-        public class ValidateWellKnownParameters : IOpenIddictClientHandler<HandleUserinfoResponseContext>
+        public sealed class ValidateWellKnownParameters : IOpenIddictClientHandler<HandleUserinfoResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -92,7 +92,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for surfacing potential errors from the userinfo response.
         /// </summary>
-        public class HandleErrorResponse : IOpenIddictClientHandler<HandleUserinfoResponseContext>
+        public sealed class HandleErrorResponse : IOpenIddictClientHandler<HandleUserinfoResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.
@@ -138,7 +138,7 @@ public static partial class OpenIddictClientHandlers
         /// <summary>
         /// Contains the logic responsible for extracting the claims from the introspection response.
         /// </summary>
-        public class PopulateClaims : IOpenIddictClientHandler<HandleUserinfoResponseContext>
+        public sealed class PopulateClaims : IOpenIddictClientHandler<HandleUserinfoResponseContext>
         {
             /// <summary>
             /// Gets the default descriptor definition assigned to this handler.

src/OpenIddict.Client/OpenIddictClientHandlers.cs

@@ -143,7 +143,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for rejecting invalid authentication demands.
     /// </summary>
-    public class ValidateAuthenticationDemand : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateAuthenticationDemand : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -217,7 +217,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for determining the types of tokens to validate upfront.
     /// </summary>
-    public class EvaluateValidatedUpfrontTokens : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class EvaluateValidatedUpfrontTokens : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -265,7 +265,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for resolving the state token to validate upfront from the incoming request.
     /// </summary>
-    public class ResolveValidatedStateToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ResolveValidatedStateToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -300,7 +300,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for rejecting authentication demands that lack the required state token.
     /// </summary>
-    public class ValidateRequiredStateToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateRequiredStateToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -339,7 +339,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for validating the state token resolved from the context.
     /// </summary>
-    public class ValidateStateToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateStateToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         private readonly IOpenIddictClientDispatcher _dispatcher;
 
@@ -408,7 +408,7 @@ public static partial class OpenIddictClientHandlers
     /// Contains the logic responsible for redeeming the token entry corresponding to the received state token.
     /// Note: this handler is not used when the degraded mode is enabled.
     /// </summary>
-    public class RedeemStateTokenEntry : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class RedeemStateTokenEntry : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         private readonly IOpenIddictTokenManager _tokenManager;
 
@@ -468,7 +468,7 @@ public static partial class OpenIddictClientHandlers
     /// Contains the logic responsible for ensuring the resolved state
     /// token is suitable for the requested authentication demand.
     /// </summary>
-    public class ValidateStateTokenEndpointType : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateStateTokenEndpointType : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -518,7 +518,7 @@ public static partial class OpenIddictClientHandlers
     /// Contains the logic responsible for validating the request forgery protection claim that serves as a
     /// protection against state token injection, forged requests, denial of service and session fixation attacks.
     /// </summary>
-    public class ValidateRequestForgeryProtection : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateRequestForgeryProtection : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -588,7 +588,7 @@ public static partial class OpenIddictClientHandlers
     /// Contains the logic responsible for resolving the client registration
     /// based on the authorization server identity stored in the state token.
     /// </summary>
-    public class ResolveClientRegistrationFromStateToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ResolveClientRegistrationFromStateToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -653,7 +653,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for ensuring the issuer parameter, if available, matches the expected issuer.
     /// </summary>
-    public class ValidateIssuerParameter : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateIssuerParameter : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -737,7 +737,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for rejecting errored authorization responses.
     /// </summary>
-    public class HandleFrontchannelErrorResponse : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class HandleFrontchannelErrorResponse : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -823,7 +823,7 @@ public static partial class OpenIddictClientHandlers
     /// Contains the logic responsible for resolving the grant type
     /// initially negotiated and stored in the state token, if applicable.
     /// </summary>
-    public class ResolveGrantTypeFromStateToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ResolveGrantTypeFromStateToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -877,7 +877,7 @@ public static partial class OpenIddictClientHandlers
     /// Contains the logic responsible for resolving the response type
     /// initially negotiated and stored in the state token, if applicable.
     /// </summary>
-    public class ResolveResponseTypeFromStateToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ResolveResponseTypeFromStateToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -911,7 +911,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for determining the set of frontchannel tokens to validate.
     /// </summary>
-    public class EvaluateValidatedFrontchannelTokens : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class EvaluateValidatedFrontchannelTokens : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -993,7 +993,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for resolving the token from the incoming request.
     /// </summary>
-    public class ResolveValidatedFrontchannelTokens : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ResolveValidatedFrontchannelTokens : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -1044,7 +1044,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for rejecting authentication demands that lack required tokens.
     /// </summary>
-    public class ValidateRequiredFrontchannelTokens : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateRequiredFrontchannelTokens : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -1085,7 +1085,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for validating the frontchannel identity token resolved from the context.
     /// </summary>
-    public class ValidateFrontchannelIdentityToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateFrontchannelIdentityToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         private readonly IOpenIddictClientDispatcher _dispatcher;
 
@@ -1153,7 +1153,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for validating the well-known claims contained in the frontchannel identity token.
     /// </summary>
-    public class ValidateFrontchannelIdentityTokenWellknownClaims : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateFrontchannelIdentityTokenWellknownClaims : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -1290,7 +1290,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for validating the audience returned in the frontchannel identity token, if applicable.
     /// </summary>
-    public class ValidateFrontchannelIdentityTokenAudience : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateFrontchannelIdentityTokenAudience : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -1335,7 +1335,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for validating the presenter returned in the frontchannel identity token, if applicable.
     /// </summary>
-    public class ValidateFrontchannelIdentityTokenPresenter : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateFrontchannelIdentityTokenPresenter : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -1378,7 +1378,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for validating the nonce returned in the frontchannel identity token, if applicable.
     /// </summary>
-    public class ValidateFrontchannelIdentityTokenNonce : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateFrontchannelIdentityTokenNonce : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -1487,7 +1487,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for validating the digests of the frontchannel tokens, if applicable.
     /// </summary>
-    public class ValidateFrontchannelTokenDigests : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateFrontchannelTokenDigests : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -1618,7 +1618,7 @@ public static partial class OpenIddictClientHandlers
     /// Note: this handler is typically not used for standard-compliant implementations as access tokens
     /// are supposed to be opaque to clients.
     /// </summary>
-    public class ValidateFrontchannelAccessToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateFrontchannelAccessToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         private readonly IOpenIddictClientDispatcher _dispatcher;
 
@@ -1688,7 +1688,7 @@ public static partial class OpenIddictClientHandlers
     /// Note: this handler is typically not used for standard-compliant implementations as authorization codes
     /// are supposed to be opaque to clients.
     /// </summary>
-    public class ValidateAuthorizationCode : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateAuthorizationCode : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         private readonly IOpenIddictClientDispatcher _dispatcher;
 
@@ -1756,7 +1756,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for resolving the address of the token endpoint.
     /// </summary>
-    public class ResolveTokenEndpoint : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ResolveTokenEndpoint : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -1789,7 +1789,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for determining whether a token request should be sent.
     /// </summary>
-    public class EvaluateTokenRequest : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class EvaluateTokenRequest : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -1832,7 +1832,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for attaching the parameters to the token request, if applicable.
     /// </summary>
-    public class AttachTokenRequestParameters : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class AttachTokenRequestParameters : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -1909,7 +1909,7 @@ public static partial class OpenIddictClientHandlers
     /// Contains the logic responsible for selecting the token types that should
     /// be generated and optionally sent as part of the authentication demand.
     /// </summary>
-    public class EvaluateGeneratedClientAssertionToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class EvaluateGeneratedClientAssertionToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -1950,7 +1950,7 @@ public static partial class OpenIddictClientHandlers
     /// Contains the logic responsible for preparing and attaching the claims principal
     /// used to generate the client assertion token, if one is going to be sent.
     /// </summary>
-    public class PrepareClientAssertionTokenPrincipal : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class PrepareClientAssertionTokenPrincipal : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -2019,7 +2019,7 @@ public static partial class OpenIddictClientHandlers
     /// Contains the logic responsible for generating a client
     /// assertion token for the current authentication operation.
     /// </summary>
-    public class GenerateClientAssertionToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class GenerateClientAssertionToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         private readonly IOpenIddictClientDispatcher _dispatcher;
 
@@ -2091,7 +2091,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for attaching the client credentials to the token request, if applicable.
     /// </summary>
-    public class AttachTokenRequestClientCredentials : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class AttachTokenRequestClientCredentials : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -2139,7 +2139,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for sending the token request, if applicable.
     /// </summary>
-    public class SendTokenRequest : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class SendTokenRequest : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         private readonly OpenIddictClientService _service;
 
@@ -2194,7 +2194,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for determining the set of backchannel tokens to validate.
     /// </summary>
-    public class EvaluateValidatedBackchannelTokens : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class EvaluateValidatedBackchannelTokens : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -2299,7 +2299,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for resolving the backchannel tokens by sending a token request, if applicable.
     /// </summary>
-    public class ResolveValidatedBackchannelTokens : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ResolveValidatedBackchannelTokens : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -2346,7 +2346,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for rejecting authentication demands that lack required tokens.
     /// </summary>
-    public class ValidateRequiredBackchannelTokens : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateRequiredBackchannelTokens : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -2388,7 +2388,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for validating the backchannel identity token resolved from the context.
     /// </summary>
-    public class ValidateBackchannelIdentityToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateBackchannelIdentityToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         private readonly IOpenIddictClientDispatcher _dispatcher;
 
@@ -2456,7 +2456,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for validating the well-known claims contained in the backchannel identity token.
     /// </summary>
-    public class ValidateBackchannelIdentityTokenWellknownClaims : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateBackchannelIdentityTokenWellknownClaims : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -2593,7 +2593,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for validating the audience returned in the backchannel identity token, if applicable.
     /// </summary>
-    public class ValidateBackchannelIdentityTokenAudience : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateBackchannelIdentityTokenAudience : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -2638,7 +2638,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for validating the presenter returned in the backchannel identity token, if applicable.
     /// </summary>
-    public class ValidateBackchannelIdentityTokenPresenter : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateBackchannelIdentityTokenPresenter : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -2681,7 +2681,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for validating the nonce returned in the backchannel identity token, if applicable.
     /// </summary>
-    public class ValidateBackchannelIdentityTokenNonce : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateBackchannelIdentityTokenNonce : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -2790,7 +2790,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for validating the digests of the backchannel access token.
     /// </summary>
-    public class ValidateBackchannelTokenDigests : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateBackchannelTokenDigests : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -2885,7 +2885,7 @@ public static partial class OpenIddictClientHandlers
     /// Note: this handler is typically not used for standard-compliant implementations as access tokens
     /// are supposed to be opaque to clients.
     /// </summary>
-    public class ValidateBackchannelAccessToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateBackchannelAccessToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         private readonly IOpenIddictClientDispatcher _dispatcher;
 
@@ -2955,7 +2955,7 @@ public static partial class OpenIddictClientHandlers
     /// Note: this handler is typically not used for standard-compliant implementations as refresh tokens
     /// are supposed to be opaque to clients.
     /// </summary>
-    public class ValidateRefreshToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateRefreshToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         private readonly IOpenIddictClientDispatcher _dispatcher;
 
@@ -3023,7 +3023,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for resolving the address of the userinfo endpoint.
     /// </summary>
-    public class ResolveUserinfoEndpoint : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ResolveUserinfoEndpoint : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -3056,7 +3056,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for determining whether a userinfo request should be sent.
     /// </summary>
-    public class EvaluateUserinfoRequest : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class EvaluateUserinfoRequest : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -3098,7 +3098,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for attaching the parameters to the userinfo request, if applicable.
     /// </summary>
-    public class AttachUserinfoRequestParameters : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class AttachUserinfoRequestParameters : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -3133,7 +3133,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for sending the userinfo request, if applicable.
     /// </summary>
-    public class SendUserinfoRequest : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class SendUserinfoRequest : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         private readonly OpenIddictClientService _service;
 
@@ -3192,7 +3192,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for determining whether a userinfo token should be validated.
     /// </summary>
-    public class EvaluateValidatedUserinfoToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class EvaluateValidatedUserinfoToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -3226,7 +3226,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for rejecting authentication demands that lack the required userinfo token.
     /// </summary>
-    public class ValidateRequiredUserinfoToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateRequiredUserinfoToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -3265,7 +3265,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for validating the userinfo token resolved from the context.
     /// </summary>
-    public class ValidateUserinfoToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateUserinfoToken : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         private readonly IOpenIddictClientDispatcher _dispatcher;
 
@@ -3333,7 +3333,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for validating the well-known claims contained in the userinfo token.
     /// </summary>
-    public class ValidateUserinfoTokenWellknownClaims : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateUserinfoTokenWellknownClaims : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -3399,7 +3399,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for validating the subject claim contained in the userinfo token.
     /// </summary>
-    public class ValidateUserinfoTokenSubject : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public sealed class ValidateUserinfoTokenSubject : IOpenIddictClientHandler<ProcessAuthenticationContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -3478,7 +3478,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for rejecting invalid challenge demands.
     /// </summary>
-    public class ValidateChallengeDemand : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class ValidateChallengeDemand : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -3543,7 +3543,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for resolving the client registration applicable to the challenge demand.
     /// </summary>
-    public class ResolveClientRegistrationFromChallengeContext : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class ResolveClientRegistrationFromChallengeContext : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -3588,7 +3588,7 @@ public static partial class OpenIddictClientHandlers
     /// Contains the logic responsible for resolving the best grant type
     /// supported by both the client and the authorization server.
     /// </summary>
-    public class AttachGrantType : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class AttachGrantType : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -3671,7 +3671,7 @@ public static partial class OpenIddictClientHandlers
     /// Contains the logic responsible for selecting the token types that
     /// should be generated and optionally returned in the response.
     /// </summary>
-    public class EvaluateGeneratedChallengeTokens : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class EvaluateGeneratedChallengeTokens : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -3715,7 +3715,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for attaching the user-defined properties to the authentication principal.
     /// </summary>
-    public class AttachChallengeHostProperties : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class AttachChallengeHostProperties : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -3746,7 +3746,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for attaching the response type to the challenge request.
     /// </summary>
-    public class AttachResponseType : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class AttachResponseType : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -3937,7 +3937,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for attaching the response mode to the challenge request.
     /// </summary>
-    public class AttachResponseMode : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class AttachResponseMode : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -4042,7 +4042,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for attaching the client identifier to the challenge request.
     /// </summary>
-    public class AttachClientId : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class AttachClientId : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -4071,7 +4071,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for attaching the redirect_uri to the challenge request.
     /// </summary>
-    public class AttachRedirectUri : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class AttachRedirectUri : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -4104,7 +4104,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for attaching the scopes to the challenge request.
     /// </summary>
-    public class AttachScopes : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class AttachScopes : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -4149,7 +4149,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for attaching a request forgery protection to the authorization request.
     /// </summary>
-    public class AttachRequestForgeryProtection : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class AttachRequestForgeryProtection : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -4181,7 +4181,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for attaching a nonce to the authorization request.
     /// </summary>
-    public class AttachNonce : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class AttachNonce : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -4221,7 +4221,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for attaching the code challenge parameters to the authorization request.
     /// </summary>
-    public class AttachCodeChallengeParameters : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class AttachCodeChallengeParameters : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -4314,7 +4314,7 @@ public static partial class OpenIddictClientHandlers
     /// Contains the logic responsible for preparing and attaching the claims principal
     /// used to generate the state token, if one is going to be returned.
     /// </summary>
-    public class PrepareStateTokenPrincipal : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class PrepareStateTokenPrincipal : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -4429,7 +4429,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for generating a state token for the current challenge operation.
     /// </summary>
-    public class GenerateStateToken : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class GenerateStateToken : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         private readonly IOpenIddictClientDispatcher _dispatcher;
 
@@ -4495,7 +4495,7 @@ public static partial class OpenIddictClientHandlers
     /// Contains the logic responsible for ensuring the redirect_uri parameter is present
     /// if the "openid" scope is requested (indicating the request is an OpenID Connect request).
     /// </summary>
-    public class ValidateRedirectUriParameter : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class ValidateRedirectUriParameter : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -4530,7 +4530,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for attaching the appropriate parameters to the challenge response.
     /// </summary>
-    public class AttachChallengeParameters : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class AttachChallengeParameters : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -4596,7 +4596,7 @@ public static partial class OpenIddictClientHandlers
     /// Contains the logic responsible for attaching the parameters
     /// populated from user-defined handlers to the challenge response.
     /// </summary>
-    public class AttachCustomChallengeParameters : IOpenIddictClientHandler<ProcessChallengeContext>
+    public sealed class AttachCustomChallengeParameters : IOpenIddictClientHandler<ProcessChallengeContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -4632,7 +4632,7 @@ public static partial class OpenIddictClientHandlers
     /// Contains the logic responsible for ensuring that the sign-out demand
     /// is compatible with the type of the endpoint that handled the request.
     /// </summary>
-    public class ValidateSignOutDemand : IOpenIddictClientHandler<ProcessSignOutContext>
+    public sealed class ValidateSignOutDemand : IOpenIddictClientHandler<ProcessSignOutContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -4690,7 +4690,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for resolving the client registration applicable to the sign-out demand.
     /// </summary>
-    public class ResolveClientRegistrationFromSignOutContext : IOpenIddictClientHandler<ProcessSignOutContext>
+    public sealed class ResolveClientRegistrationFromSignOutContext : IOpenIddictClientHandler<ProcessSignOutContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -4734,7 +4734,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for attaching the client identifier to the sign-out request.
     /// </summary>
-    public class AttachOptionalClientId : IOpenIddictClientHandler<ProcessSignOutContext>
+    public sealed class AttachOptionalClientId : IOpenIddictClientHandler<ProcessSignOutContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -4763,7 +4763,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for attaching the post_logout_redirect_uri to the sign-out request.
     /// </summary>
-    public class AttachPostLogoutRedirectUri : IOpenIddictClientHandler<ProcessSignOutContext>
+    public sealed class AttachPostLogoutRedirectUri : IOpenIddictClientHandler<ProcessSignOutContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -4793,7 +4793,7 @@ public static partial class OpenIddictClientHandlers
     /// Contains the logic responsible for selecting the token types that
     /// should be generated and optionally returned in the response.
     /// </summary>
-    public class EvaluateGeneratedLogoutTokens : IOpenIddictClientHandler<ProcessSignOutContext>
+    public sealed class EvaluateGeneratedLogoutTokens : IOpenIddictClientHandler<ProcessSignOutContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -4822,7 +4822,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for attaching the user-defined properties to the authentication principal.
     /// </summary>
-    public class AttachSignOutHostProperties : IOpenIddictClientHandler<ProcessSignOutContext>
+    public sealed class AttachSignOutHostProperties : IOpenIddictClientHandler<ProcessSignOutContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -4853,7 +4853,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for attaching a request forgery protection to the logout request.
     /// </summary>
-    public class AttachLogoutRequestForgeryProtection : IOpenIddictClientHandler<ProcessSignOutContext>
+    public sealed class AttachLogoutRequestForgeryProtection : IOpenIddictClientHandler<ProcessSignOutContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -4884,7 +4884,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for attaching a nonce to the logout request.
     /// </summary>
-    public class AttachLogoutNonce : IOpenIddictClientHandler<ProcessSignOutContext>
+    public sealed class AttachLogoutNonce : IOpenIddictClientHandler<ProcessSignOutContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -4914,7 +4914,7 @@ public static partial class OpenIddictClientHandlers
     /// Contains the logic responsible for preparing and attaching the claims principal
     /// used to generate the logout state token, if one is going to be returned.
     /// </summary>
-    public class PrepareLogoutStateTokenPrincipal : IOpenIddictClientHandler<ProcessSignOutContext>
+    public sealed class PrepareLogoutStateTokenPrincipal : IOpenIddictClientHandler<ProcessSignOutContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -5008,7 +5008,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for generating a logout state token for the current sign-out operation.
     /// </summary>
-    public class GenerateLogoutStateToken : IOpenIddictClientHandler<ProcessSignOutContext>
+    public sealed class GenerateLogoutStateToken : IOpenIddictClientHandler<ProcessSignOutContext>
     {
         private readonly IOpenIddictClientDispatcher _dispatcher;
 
@@ -5073,7 +5073,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for attaching the appropriate parameters to the sign-out response.
     /// </summary>
-    public class AttachSignOutParameters : IOpenIddictClientHandler<ProcessSignOutContext>
+    public sealed class AttachSignOutParameters : IOpenIddictClientHandler<ProcessSignOutContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -5116,7 +5116,7 @@ public static partial class OpenIddictClientHandlers
     /// Contains the logic responsible for attaching the parameters
     /// populated from user-defined handlers to the sign-out response.
     /// </summary>
-    public class AttachCustomSignOutParameters : IOpenIddictClientHandler<ProcessSignOutContext>
+    public sealed class AttachCustomSignOutParameters : IOpenIddictClientHandler<ProcessSignOutContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.
@@ -5151,7 +5151,7 @@ public static partial class OpenIddictClientHandlers
     /// <summary>
     /// Contains the logic responsible for attaching the appropriate parameters to the error response.
     /// </summary>
-    public class AttachErrorParameters : IOpenIddictClientHandler<ProcessErrorContext>
+    public sealed class AttachErrorParameters : IOpenIddictClientHandler<ProcessErrorContext>
     {
         /// <summary>
         /// Gets the default descriptor definition assigned to this handler.

src/OpenIddict.Client/OpenIddictClientOptions.cs

@@ -12,7 +12,7 @@ namespace OpenIddict.Client;
 /// <summary>
 /// Provides various settings needed to configure the OpenIddict client handler.
 /// </summary>
-public class OpenIddictClientOptions
+public sealed class OpenIddictClientOptions
 {
     /// <summary>
     /// Gets the list of the handlers responsible for processing the OpenIddict client operations.

src/OpenIddict.Client/OpenIddictClientRegistration.cs

@@ -14,7 +14,7 @@ namespace OpenIddict.Client;
 /// Contains the properties used to configure a client/server link.
 /// </summary>
 [DebuggerDisplay("{Issuer,nq}")]
-public class OpenIddictClientRegistration
+public sealed class OpenIddictClientRegistration
 {
     /// <summary>
     /// Gets or sets the client identifier assigned by the authorization server.

src/OpenIddict.Client/OpenIddictClientRetriever.cs

@@ -9,7 +9,7 @@ using Microsoft.IdentityModel.Protocols;
 
 namespace OpenIddict.Client;
 
-public class OpenIddictClientRetriever : IConfigurationRetriever<OpenIddictConfiguration>
+public sealed class OpenIddictClientRetriever : IConfigurationRetriever<OpenIddictConfiguration>
 {
     private readonly OpenIddictClientService _service;
     private readonly OpenIddictClientRegistration _registration;

src/OpenIddict.Client/OpenIddictClientService.cs

@@ -14,7 +14,7 @@ using static OpenIddict.Abstractions.OpenIddictExceptions;
 
 namespace OpenIddict.Client;
 
-public class OpenIddictClientService
+public sealed class OpenIddictClientService
 {
     private readonly IServiceProvider _provider;
 

src/OpenIddict.Client/OpenIddictClientTransaction.cs

@@ -11,7 +11,7 @@ namespace OpenIddict.Client;
 /// <summary>
 /// Represents the context associated with an OpenID Connect client request.
 /// </summary>
-public class OpenIddictClientTransaction
+public sealed class OpenIddictClientTransaction
 {
     /// <summary>
     /// Gets or sets the type of the endpoint processing the current request.

src/OpenIddict.Core/Caches/OpenIddictApplicationCache.cs

@@ -18,7 +18,7 @@ namespace OpenIddict.Core;
 /// Provides methods allowing to cache applications after retrieving them from the store.
 /// </summary>
 /// <typeparam name="TApplication">The type of the Application entity.</typeparam>
-public class OpenIddictApplicationCache<TApplication> : IOpenIddictApplicationCache<TApplication>, IDisposable where TApplication : class
+public sealed class OpenIddictApplicationCache<TApplication> : IOpenIddictApplicationCache<TApplication>, IDisposable where TApplication : class
 {
     private readonly MemoryCache _cache;
     private readonly ConcurrentDictionary<string, CancellationTokenSource> _signals;
@@ -279,7 +279,7 @@ public class OpenIddictApplicationCache<TApplication> : IOpenIddictApplicationCa
     /// <param name="application">The application to store in the cache entry, if applicable.</param>
     /// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
     /// <returns>A <see cref="ValueTask"/> that can be used to monitor the asynchronous operation.</returns>
-    protected virtual async ValueTask CreateEntryAsync(object key, TApplication? application, CancellationToken cancellationToken)
+    private async ValueTask CreateEntryAsync(object key, TApplication? application, CancellationToken cancellationToken)
     {
         if (key is null)
         {
@@ -305,8 +305,7 @@ public class OpenIddictApplicationCache<TApplication> : IOpenIddictApplicationCa
     /// <param name="applications">The applications to store in the cache entry.</param>
     /// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
     /// <returns>A <see cref="ValueTask"/> that can be used to monitor the asynchronous operation.</returns>
-    protected virtual async ValueTask CreateEntryAsync(
-        object key, ImmutableArray<TApplication> applications, CancellationToken cancellationToken)
+    private async ValueTask CreateEntryAsync(object key, ImmutableArray<TApplication> applications, CancellationToken cancellationToken)
     {
         if (key is null)
         {
@@ -335,8 +334,7 @@ public class OpenIddictApplicationCache<TApplication> : IOpenIddictApplicationCa
     /// A <see cref="ValueTask"/> that can be used to monitor the asynchronous operation,
     /// whose result returns an expiration signal for the specified application.
     /// </returns>
-    protected virtual async ValueTask<IChangeToken> CreateExpirationSignalAsync(
-        TApplication application, CancellationToken cancellationToken)
+    private async ValueTask<IChangeToken> CreateExpirationSignalAsync(TApplication application, CancellationToken cancellationToken)
     {
         if (application is null)
         {

src/OpenIddict.Core/Caches/OpenIddictAuthorizationCache.cs

@@ -17,7 +17,7 @@ namespace OpenIddict.Core;
 /// Provides methods allowing to cache authorizations after retrieving them from the store.
 /// </summary>
 /// <typeparam name="TAuthorization">The type of the Authorization entity.</typeparam>
-public class OpenIddictAuthorizationCache<TAuthorization> : IOpenIddictAuthorizationCache<TAuthorization>, IDisposable where TAuthorization : class
+public sealed class OpenIddictAuthorizationCache<TAuthorization> : IOpenIddictAuthorizationCache<TAuthorization>, IDisposable where TAuthorization : class
 {
     private readonly MemoryCache _cache;
     private readonly ConcurrentDictionary<string, CancellationTokenSource> _signals;
@@ -452,7 +452,7 @@ public class OpenIddictAuthorizationCache<TAuthorization> : IOpenIddictAuthoriza
     /// <param name="authorization">The authorization to store in the cache entry, if applicable.</param>
     /// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
     /// <returns>A <see cref="ValueTask"/> that can be used to monitor the asynchronous operation.</returns>
-    protected virtual async ValueTask CreateEntryAsync(object key, TAuthorization? authorization, CancellationToken cancellationToken)
+    private async ValueTask CreateEntryAsync(object key, TAuthorization? authorization, CancellationToken cancellationToken)
     {
         if (key is null)
         {
@@ -478,8 +478,7 @@ public class OpenIddictAuthorizationCache<TAuthorization> : IOpenIddictAuthoriza
     /// <param name="authorizations">The authorizations to store in the cache entry.</param>
     /// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
     /// <returns>A <see cref="ValueTask"/> that can be used to monitor the asynchronous operation.</returns>
-    protected virtual async ValueTask CreateEntryAsync(
-        object key, ImmutableArray<TAuthorization> authorizations, CancellationToken cancellationToken)
+    private async ValueTask CreateEntryAsync(object key, ImmutableArray<TAuthorization> authorizations, CancellationToken cancellationToken)
     {
         if (key is null)
         {
@@ -508,8 +507,7 @@ public class OpenIddictAuthorizationCache<TAuthorization> : IOpenIddictAuthoriza
     /// A <see cref="ValueTask"/> that can be used to monitor the asynchronous operation,
     /// whose result returns an expiration signal for the specified authorization.
     /// </returns>
-    protected virtual async ValueTask<IChangeToken> CreateExpirationSignalAsync(
-        TAuthorization authorization, CancellationToken cancellationToken)
+    private async ValueTask<IChangeToken> CreateExpirationSignalAsync(TAuthorization authorization, CancellationToken cancellationToken)
     {
         if (authorization is null)
         {

src/OpenIddict.Core/Caches/OpenIddictScopeCache.cs

@@ -17,7 +17,7 @@ namespace OpenIddict.Core;
 /// Provides methods allowing to cache scopes after retrieving them from the store.
 /// </summary>
 /// <typeparam name="TScope">The type of the Scope entity.</typeparam>
-public class OpenIddictScopeCache<TScope> : IOpenIddictScopeCache<TScope>, IDisposable where TScope : class
+public sealed class OpenIddictScopeCache<TScope> : IOpenIddictScopeCache<TScope>, IDisposable where TScope : class
 {
     private readonly MemoryCache _cache;
     private readonly ConcurrentDictionary<string, CancellationTokenSource> _signals;
@@ -249,7 +249,7 @@ public class OpenIddictScopeCache<TScope> : IOpenIddictScopeCache<TScope>, IDisp
     /// <param name="scope">The scope to store in the cache entry, if applicable.</param>
     /// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
     /// <returns>A <see cref="ValueTask"/> that can be used to monitor the asynchronous operation.</returns>
-    protected virtual async ValueTask CreateEntryAsync(object key, TScope? scope, CancellationToken cancellationToken)
+    private async ValueTask CreateEntryAsync(object key, TScope? scope, CancellationToken cancellationToken)
     {
         if (key is null)
         {
@@ -275,8 +275,7 @@ public class OpenIddictScopeCache<TScope> : IOpenIddictScopeCache<TScope>, IDisp
     /// <param name="scopes">The scopes to store in the cache entry.</param>
     /// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
     /// <returns>A <see cref="ValueTask"/> that can be used to monitor the asynchronous operation.</returns>
-    protected virtual async ValueTask CreateEntryAsync(
-        object key, ImmutableArray<TScope> scopes, CancellationToken cancellationToken)
+    private async ValueTask CreateEntryAsync(object key, ImmutableArray<TScope> scopes, CancellationToken cancellationToken)
     {
         if (key is null)
         {
@@ -305,7 +304,7 @@ public class OpenIddictScopeCache<TScope> : IOpenIddictScopeCache<TScope>, IDisp
     /// A <see cref="ValueTask"/> that can be used to monitor the asynchronous operation,
     /// whose result returns an expiration signal for the specified scope.
     /// </returns>
-    protected virtual async ValueTask<IChangeToken> CreateExpirationSignalAsync(TScope scope, CancellationToken cancellationToken)
+    private async ValueTask<IChangeToken> CreateExpirationSignalAsync(TScope scope, CancellationToken cancellationToken)
     {
         if (scope is null)
         {

src/OpenIddict.Core/Caches/OpenIddictTokenCache.cs

@@ -17,7 +17,7 @@ namespace OpenIddict.Core;
 /// Provides methods allowing to cache tokens after retrieving them from the store.
 /// </summary>
 /// <typeparam name="TToken">The type of the Token entity.</typeparam>
-public class OpenIddictTokenCache<TToken> : IOpenIddictTokenCache<TToken>, IDisposable where TToken : class
+public sealed class OpenIddictTokenCache<TToken> : IOpenIddictTokenCache<TToken>, IDisposable where TToken : class
 {
     private readonly MemoryCache _cache;
     private readonly ConcurrentDictionary<string, CancellationTokenSource> _signals;
@@ -504,7 +504,7 @@ public class OpenIddictTokenCache<TToken> : IOpenIddictTokenCache<TToken>, IDisp
     /// <param name="token">The token to store in the cache entry, if applicable.</param>
     /// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
     /// <returns>A <see cref="ValueTask"/> that can be used to monitor the asynchronous operation.</returns>
-    protected virtual async ValueTask CreateEntryAsync(object key, TToken? token, CancellationToken cancellationToken)
+    private async ValueTask CreateEntryAsync(object key, TToken? token, CancellationToken cancellationToken)
     {
         if (key is null)
         {
@@ -530,8 +530,7 @@ public class OpenIddictTokenCache<TToken> : IOpenIddictTokenCache<TToken>, IDisp
     /// <param name="tokens">The tokens to store in the cache entry.</param>
     /// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
     /// <returns>A <see cref="ValueTask"/> that can be used to monitor the asynchronous operation.</returns>
-    protected virtual async ValueTask CreateEntryAsync(
-        object key, ImmutableArray<TToken> tokens, CancellationToken cancellationToken)
+    private async ValueTask CreateEntryAsync(object key, ImmutableArray<TToken> tokens, CancellationToken cancellationToken)
     {
         if (key is null)
         {
@@ -560,7 +559,7 @@ public class OpenIddictTokenCache<TToken> : IOpenIddictTokenCache<TToken>, IDisp
     /// A <see cref="ValueTask"/> that can be used to monitor the asynchronous operation,
     /// whose result returns an expiration signal for the specified token.
     /// </returns>
-    protected virtual async ValueTask<IChangeToken> CreateExpirationSignalAsync(TToken token, CancellationToken cancellationToken)
+    private async ValueTask<IChangeToken> CreateExpirationSignalAsync(TToken token, CancellationToken cancellationToken)
     {
         if (token is null)
         {

src/OpenIddict.Core/OpenIddictCoreBuilder.cs

@@ -14,7 +14,7 @@ namespace Microsoft.Extensions.DependencyInjection;
 /// <summary>
 /// Exposes the necessary methods required to configure the OpenIddict core services.
 /// </summary>
-public class OpenIddictCoreBuilder
+public sealed class OpenIddictCoreBuilder
 {
     /// <summary>
     /// Initializes a new instance of <see cref="OpenIddictCoreBuilder"/>.

src/OpenIddict.Core/OpenIddictCoreOptions.cs

@@ -9,7 +9,7 @@ namespace OpenIddict.Core;
 /// <summary>
 /// Provides various settings needed to configure the OpenIddict core services.
 /// </summary>
-public class OpenIddictCoreOptions
+public sealed class OpenIddictCoreOptions
 {
     /// <summary>
     /// Gets or sets the type corresponding to the default Application entity,

src/OpenIddict.Core/Resolvers/OpenIddictApplicationStoreResolver.cs

@@ -5,7 +5,7 @@ namespace OpenIddict.Core;
 /// <summary>
 /// Exposes a method allowing to resolve an application store.
 /// </summary>
-public class OpenIddictApplicationStoreResolver : IOpenIddictApplicationStoreResolver
+public sealed class OpenIddictApplicationStoreResolver : IOpenIddictApplicationStoreResolver
 {
     private readonly IServiceProvider _provider;
 

src/OpenIddict.Core/Resolvers/OpenIddictAuthorizationStoreResolver.cs

@@ -5,7 +5,7 @@ namespace OpenIddict.Core;
 /// <summary>
 /// Exposes a method allowing to resolve an authorization store.
 /// </summary>
-public class OpenIddictAuthorizationStoreResolver : IOpenIddictAuthorizationStoreResolver
+public sealed class OpenIddictAuthorizationStoreResolver : IOpenIddictAuthorizationStoreResolver
 {
     private readonly IServiceProvider _provider;
 

src/OpenIddict.Core/Resolvers/OpenIddictScopeStoreResolver.cs

@@ -5,7 +5,7 @@ namespace OpenIddict.Core;
 /// <summary>
 /// Exposes a method allowing to resolve a scope store.
 /// </summary>
-public class OpenIddictScopeStoreResolver : IOpenIddictScopeStoreResolver
+public sealed class OpenIddictScopeStoreResolver : IOpenIddictScopeStoreResolver
 {
     private readonly IServiceProvider _provider;
 

src/OpenIddict.Core/Resolvers/OpenIddictTokenStoreResolver.cs

@@ -5,7 +5,7 @@ namespace OpenIddict.Core;
 /// <summary>
 /// Exposes a method allowing to resolve a token store.
 /// </summary>
-public class OpenIddictTokenStoreResolver : IOpenIddictTokenStoreResolver
+public sealed class OpenIddictTokenStoreResolver : IOpenIddictTokenStoreResolver
 {
     private readonly IServiceProvider _provider;
 

src/OpenIddict.EntityFramework/Configurations/OpenIddictEntityFrameworkApplicationConfiguration.cs

@@ -20,7 +20,7 @@ namespace OpenIddict.EntityFramework;
 /// <typeparam name="TToken">The type of the Token entity.</typeparam>
 /// <typeparam name="TKey">The type of the Key entity.</typeparam>
 [EditorBrowsable(EditorBrowsableState.Never)]
-public class OpenIddictEntityFrameworkApplicationConfiguration<TApplication, TAuthorization, TToken, TKey> : EntityTypeConfiguration<TApplication>
+public sealed class OpenIddictEntityFrameworkApplicationConfiguration<TApplication, TAuthorization, TToken, TKey> : EntityTypeConfiguration<TApplication>
     where TApplication : OpenIddictEntityFrameworkApplication<TKey, TAuthorization, TToken>
     where TAuthorization : OpenIddictEntityFrameworkAuthorization<TKey, TApplication, TToken>
     where TToken : OpenIddictEntityFrameworkToken<TKey, TApplication, TAuthorization>

src/OpenIddict.EntityFramework/Configurations/OpenIddictEntityFrameworkAuthorizationConfiguration.cs

@@ -18,7 +18,7 @@ namespace OpenIddict.EntityFramework;
 /// <typeparam name="TToken">The type of the Token entity.</typeparam>
 /// <typeparam name="TKey">The type of the Key entity.</typeparam>
 [EditorBrowsable(EditorBrowsableState.Never)]
-public class OpenIddictEntityFrameworkAuthorizationConfiguration<TAuthorization, TApplication, TToken, TKey> : EntityTypeConfiguration<TAuthorization>
+public sealed class OpenIddictEntityFrameworkAuthorizationConfiguration<TAuthorization, TApplication, TToken, TKey> : EntityTypeConfiguration<TAuthorization>
     where TAuthorization : OpenIddictEntityFrameworkAuthorization<TKey, TApplication, TToken>
     where TApplication : OpenIddictEntityFrameworkApplication<TKey, TAuthorization, TToken>
     where TToken : OpenIddictEntityFrameworkToken<TKey, TApplication, TAuthorization>

src/OpenIddict.EntityFramework/Configurations/OpenIddictEntityFrameworkScopeConfiguration.cs

@@ -18,7 +18,7 @@ namespace OpenIddict.EntityFramework;
 /// <typeparam name="TScope">The type of the Scope entity.</typeparam>
 /// <typeparam name="TKey">The type of the Key entity.</typeparam>
 [EditorBrowsable(EditorBrowsableState.Never)]
-public class OpenIddictEntityFrameworkScopeConfiguration<TScope, TKey> : EntityTypeConfiguration<TScope>
+public sealed class OpenIddictEntityFrameworkScopeConfiguration<TScope, TKey> : EntityTypeConfiguration<TScope>
     where TScope : OpenIddictEntityFrameworkScope<TKey>
     where TKey : notnull, IEquatable<TKey>
 {

src/OpenIddict.EntityFramework/Configurations/OpenIddictEntityFrameworkTokenConfiguration.cs

@@ -20,7 +20,7 @@ namespace OpenIddict.EntityFramework;
 /// <typeparam name="TAuthorization">The type of the Authorization entity.</typeparam>
 /// <typeparam name="TKey">The type of the Key entity.</typeparam>
 [EditorBrowsable(EditorBrowsableState.Never)]
-public class OpenIddictEntityFrameworkTokenConfiguration<TToken, TApplication, TAuthorization, TKey> : EntityTypeConfiguration<TToken>
+public sealed class OpenIddictEntityFrameworkTokenConfiguration<TToken, TApplication, TAuthorization, TKey> : EntityTypeConfiguration<TToken>
     where TToken : OpenIddictEntityFrameworkToken<TKey, TApplication, TAuthorization>
     where TApplication : OpenIddictEntityFrameworkApplication<TKey, TAuthorization, TToken>
     where TAuthorization : OpenIddictEntityFrameworkAuthorization<TKey, TApplication, TToken>

src/OpenIddict.EntityFramework/OpenIddictEntityFrameworkBuilder.cs

@@ -15,7 +15,7 @@ namespace Microsoft.Extensions.DependencyInjection;
 /// <summary>
 /// Exposes the necessary methods required to configure the OpenIddict Entity Framework 6.x services.
 /// </summary>
-public class OpenIddictEntityFrameworkBuilder
+public sealed class OpenIddictEntityFrameworkBuilder
 {
     /// <summary>
     /// Initializes a new instance of <see cref="OpenIddictEntityFrameworkBuilder"/>.

src/OpenIddict.EntityFramework/OpenIddictEntityFrameworkOptions.cs

@@ -10,7 +10,7 @@ namespace OpenIddict.EntityFramework;
 /// Provides various settings needed to configure
 /// the OpenIddict Entity Framework 6.x integration.
 /// </summary>
-public class OpenIddictEntityFrameworkOptions
+public sealed class OpenIddictEntityFrameworkOptions
 {
     /// <summary>
     /// Gets or sets the concrete type of the <see cref="DbContext"/> used by the

src/OpenIddict.EntityFramework/Resolvers/OpenIddictEntityFrameworkApplicationStoreResolver.cs

@@ -15,7 +15,7 @@ namespace OpenIddict.EntityFramework;
 /// <summary>
 /// Exposes a method allowing to resolve an application store.
 /// </summary>
-public class OpenIddictEntityFrameworkApplicationStoreResolver : IOpenIddictApplicationStoreResolver
+public sealed class OpenIddictEntityFrameworkApplicationStoreResolver : IOpenIddictApplicationStoreResolver
 {
     private readonly TypeResolutionCache _cache;
     private readonly IOptionsMonitor<OpenIddictEntityFrameworkOptions> _options;
@@ -68,5 +68,5 @@ public class OpenIddictEntityFrameworkApplicationStoreResolver : IOpenIddictAppl
     // service provider must be able to resolve scoped services (typically, the store they return).
     // To avoid having to declare a static type resolution cache, a special cache service is used
     // here and registered as a singleton dependency so that its content persists beyond the scope.
-    public class TypeResolutionCache : ConcurrentDictionary<Type, Type> { }
+    public sealed class TypeResolutionCache : ConcurrentDictionary<Type, Type> { }
 }

src/OpenIddict.EntityFramework/Resolvers/OpenIddictEntityFrameworkAuthorizationStoreResolver.cs

@@ -15,7 +15,7 @@ namespace OpenIddict.EntityFramework;
 /// <summary>
 /// Exposes a method allowing to resolve an authorization store.
 /// </summary>
-public class OpenIddictEntityFrameworkAuthorizationStoreResolver : IOpenIddictAuthorizationStoreResolver
+public sealed class OpenIddictEntityFrameworkAuthorizationStoreResolver : IOpenIddictAuthorizationStoreResolver
 {
     private readonly TypeResolutionCache _cache;
     private readonly IOptionsMonitor<OpenIddictEntityFrameworkOptions> _options;
@@ -68,5 +68,5 @@ public class OpenIddictEntityFrameworkAuthorizationStoreResolver : IOpenIddictAu
     // service provider must be able to resolve scoped services (typically, the store they return).
     // To avoid having to declare a static type resolution cache, a special cache service is used
     // here and registered as a singleton dependency so that its content persists beyond the scope.
-    public class TypeResolutionCache : ConcurrentDictionary<Type, Type> { }
+    public sealed class TypeResolutionCache : ConcurrentDictionary<Type, Type> { }
 }

src/OpenIddict.EntityFramework/Resolvers/OpenIddictEntityFrameworkScopeStoreResolver.cs

@@ -15,7 +15,7 @@ namespace OpenIddict.EntityFramework;
 /// <summary>
 /// Exposes a method allowing to resolve a scope store.
 /// </summary>
-public class OpenIddictEntityFrameworkScopeStoreResolver : IOpenIddictScopeStoreResolver
+public sealed class OpenIddictEntityFrameworkScopeStoreResolver : IOpenIddictScopeStoreResolver
 {
     private readonly TypeResolutionCache _cache;
     private readonly IOptionsMonitor<OpenIddictEntityFrameworkOptions> _options;
@@ -66,5 +66,5 @@ public class OpenIddictEntityFrameworkScopeStoreResolver : IOpenIddictScopeStore
     // service provider must be able to resolve scoped services (typically, the store they return).
     // To avoid having to declare a static type resolution cache, a special cache service is used
     // here and registered as a singleton dependency so that its content persists beyond the scope.
-    public class TypeResolutionCache : ConcurrentDictionary<Type, Type> { }
+    public sealed class TypeResolutionCache : ConcurrentDictionary<Type, Type> { }
 }

src/OpenIddict.EntityFramework/Resolvers/OpenIddictEntityFrameworkTokenStoreResolver.cs

@@ -15,7 +15,7 @@ namespace OpenIddict.EntityFramework;
 /// <summary>
 /// Exposes a method allowing to resolve a token store.
 /// </summary>
-public class OpenIddictEntityFrameworkTokenStoreResolver : IOpenIddictTokenStoreResolver
+public sealed class OpenIddictEntityFrameworkTokenStoreResolver : IOpenIddictTokenStoreResolver
 {
     private readonly TypeResolutionCache _cache;
     private readonly IOptionsMonitor<OpenIddictEntityFrameworkOptions> _options;
@@ -68,5 +68,5 @@ public class OpenIddictEntityFrameworkTokenStoreResolver : IOpenIddictTokenStore
     // service provider must be able to resolve scoped services (typically, the store they return).
     // To avoid having to declare a static type resolution cache, a special cache service is used
     // here and registered as a singleton dependency so that its content persists beyond the scope.
-    public class TypeResolutionCache : ConcurrentDictionary<Type, Type> { }
+    public sealed class TypeResolutionCache : ConcurrentDictionary<Type, Type> { }
 }

src/OpenIddict.EntityFrameworkCore/Configurations/OpenIddictEntityFrameworkCoreApplicationConfiguration.cs

@@ -18,7 +18,7 @@ namespace OpenIddict.EntityFrameworkCore;
 /// <typeparam name="TToken">The type of the Token entity.</typeparam>
 /// <typeparam name="TKey">The type of the Key entity.</typeparam>
 [EditorBrowsable(EditorBrowsableState.Never)]
-public class OpenIddictEntityFrameworkCoreApplicationConfiguration<TApplication, TAuthorization, TToken, TKey> : IEntityTypeConfiguration<TApplication>
+public sealed class OpenIddictEntityFrameworkCoreApplicationConfiguration<TApplication, TAuthorization, TToken, TKey> : IEntityTypeConfiguration<TApplication>
     where TApplication : OpenIddictEntityFrameworkCoreApplication<TKey, TAuthorization, TToken>
     where TAuthorization : OpenIddictEntityFrameworkCoreAuthorization<TKey, TApplication, TToken>
     where TToken : OpenIddictEntityFrameworkCoreToken<TKey, TApplication, TAuthorization>

src/OpenIddict.EntityFrameworkCore/Configurations/OpenIddictEntityFrameworkCoreAuthorizationConfiguration.cs

@@ -18,7 +18,7 @@ namespace OpenIddict.EntityFrameworkCore;
 /// <typeparam name="TToken">The type of the Token entity.</typeparam>
 /// <typeparam name="TKey">The type of the Key entity.</typeparam>
 [EditorBrowsable(EditorBrowsableState.Never)]
-public class OpenIddictEntityFrameworkCoreAuthorizationConfiguration<TAuthorization, TApplication, TToken, TKey> : IEntityTypeConfiguration<TAuthorization>
+public sealed class OpenIddictEntityFrameworkCoreAuthorizationConfiguration<TAuthorization, TApplication, TToken, TKey> : IEntityTypeConfiguration<TAuthorization>
     where TAuthorization : OpenIddictEntityFrameworkCoreAuthorization<TKey, TApplication, TToken>
     where TApplication : OpenIddictEntityFrameworkCoreApplication<TKey, TAuthorization, TToken>
     where TToken : OpenIddictEntityFrameworkCoreToken<TKey, TApplication, TAuthorization>

src/OpenIddict.EntityFrameworkCore/Configurations/OpenIddictEntityFrameworkCoreScopeConfiguration.cs

@@ -16,7 +16,7 @@ namespace OpenIddict.EntityFrameworkCore;
 /// <typeparam name="TScope">The type of the Scope entity.</typeparam>
 /// <typeparam name="TKey">The type of the Key entity.</typeparam>
 [EditorBrowsable(EditorBrowsableState.Never)]
-public class OpenIddictEntityFrameworkCoreScopeConfiguration<TScope, TKey> : IEntityTypeConfiguration<TScope>
+public sealed class OpenIddictEntityFrameworkCoreScopeConfiguration<TScope, TKey> : IEntityTypeConfiguration<TScope>
     where TScope : OpenIddictEntityFrameworkCoreScope<TKey>
     where TKey : notnull, IEquatable<TKey>
 {

src/OpenIddict.EntityFrameworkCore/Configurations/OpenIddictEntityFrameworkCoreTokenConfiguration.cs

@@ -18,7 +18,7 @@ namespace OpenIddict.EntityFrameworkCore;
 /// <typeparam name="TAuthorization">The type of the Authorization entity.</typeparam>
 /// <typeparam name="TKey">The type of the Key entity.</typeparam>
 [EditorBrowsable(EditorBrowsableState.Never)]
-public class OpenIddictEntityFrameworkCoreTokenConfiguration<TToken, TApplication, TAuthorization, TKey> : IEntityTypeConfiguration<TToken>
+public sealed class OpenIddictEntityFrameworkCoreTokenConfiguration<TToken, TApplication, TAuthorization, TKey> : IEntityTypeConfiguration<TToken>
     where TToken : OpenIddictEntityFrameworkCoreToken<TKey, TApplication, TAuthorization>
     where TApplication : OpenIddictEntityFrameworkCoreApplication<TKey, TAuthorization, TToken>
     where TAuthorization : OpenIddictEntityFrameworkCoreAuthorization<TKey, TApplication, TToken>

src/OpenIddict.EntityFrameworkCore/OpenIddictEntityFrameworkCoreBuilder.cs

@@ -14,7 +14,7 @@ namespace Microsoft.Extensions.DependencyInjection;
 /// <summary>
 /// Exposes the necessary methods required to configure the OpenIddict Entity Framework Core services.
 /// </summary>
-public class OpenIddictEntityFrameworkCoreBuilder
+public sealed class OpenIddictEntityFrameworkCoreBuilder
 {
     /// <summary>
     /// Initializes a new instance of <see cref="OpenIddictEntityFrameworkCoreBuilder"/>.

src/OpenIddict.EntityFrameworkCore/OpenIddictEntityFrameworkCoreCustomizer.cs

@@ -12,7 +12,7 @@ namespace OpenIddict.EntityFrameworkCore;
 /// Represents a model customizer able to register the entity sets
 /// required by the OpenIddict stack in an Entity Framework Core context.
 /// </summary>
-public class OpenIddictEntityFrameworkCoreCustomizer<TApplication, TAuthorization, TScope, TToken, TKey> : RelationalModelCustomizer
+public sealed class OpenIddictEntityFrameworkCoreCustomizer<TApplication, TAuthorization, TScope, TToken, TKey> : RelationalModelCustomizer
     where TApplication : OpenIddictEntityFrameworkCoreApplication<TKey, TAuthorization, TToken>
     where TAuthorization : OpenIddictEntityFrameworkCoreAuthorization<TKey, TApplication, TToken>
     where TScope : OpenIddictEntityFrameworkCoreScope<TKey>

src/OpenIddict.EntityFrameworkCore/OpenIddictEntityFrameworkCoreOptions.cs

@@ -10,7 +10,7 @@ namespace OpenIddict.EntityFrameworkCore;
 /// Provides various settings needed to configure
 /// the OpenIddict Entity Framework Core integration.
 /// </summary>
-public class OpenIddictEntityFrameworkCoreOptions
+public sealed class OpenIddictEntityFrameworkCoreOptions
 {
     /// <summary>
     /// Gets or sets the concrete type of the <see cref="DbContext"/> used by the

src/OpenIddict.EntityFrameworkCore/Resolvers/OpenIddictEntityFrameworkCoreApplicationStoreResolver.cs

@@ -15,7 +15,7 @@ namespace OpenIddict.EntityFrameworkCore;
 /// <summary>
 /// Exposes a method allowing to resolve an application store.
 /// </summary>
-public class OpenIddictEntityFrameworkCoreApplicationStoreResolver : IOpenIddictApplicationStoreResolver
+public sealed class OpenIddictEntityFrameworkCoreApplicationStoreResolver : IOpenIddictApplicationStoreResolver
 {
     private readonly TypeResolutionCache _cache;
     private readonly IOptionsMonitor<OpenIddictEntityFrameworkCoreOptions> _options;
@@ -68,5 +68,5 @@ public class OpenIddictEntityFrameworkCoreApplicationStoreResolver : IOpenIddict
     // service provider must be able to resolve scoped services (typically, the store they return).
     // To avoid having to declare a static type resolution cache, a special cache service is used
     // here and registered as a singleton dependency so that its content persists beyond the scope.
-    public class TypeResolutionCache : ConcurrentDictionary<Type, Type> { }
+    public sealed class TypeResolutionCache : ConcurrentDictionary<Type, Type> { }
 }

src/OpenIddict.EntityFrameworkCore/Resolvers/OpenIddictEntityFrameworkCoreAuthorizationStoreResolver.cs

@@ -15,7 +15,7 @@ namespace OpenIddict.EntityFrameworkCore;
 /// <summary>
 /// Exposes a method allowing to resolve an authorization store.
 /// </summary>
-public class OpenIddictEntityFrameworkCoreAuthorizationStoreResolver : IOpenIddictAuthorizationStoreResolver
+public sealed class OpenIddictEntityFrameworkCoreAuthorizationStoreResolver : IOpenIddictAuthorizationStoreResolver
 {
     private readonly TypeResolutionCache _cache;
     private readonly IOptionsMonitor<OpenIddictEntityFrameworkCoreOptions> _options;
@@ -68,5 +68,5 @@ public class OpenIddictEntityFrameworkCoreAuthorizationStoreResolver : IOpenIddi
     // service provider must be able to resolve scoped services (typically, the store they return).
     // To avoid having to declare a static type resolution cache, a special cache service is used
     // here and registered as a singleton dependency so that its content persists beyond the scope.
-    public class TypeResolutionCache : ConcurrentDictionary<Type, Type> { }
+    public sealed class TypeResolutionCache : ConcurrentDictionary<Type, Type> { }
 }