diff --git a/src/IdentityServer/Configuration/DependencyInjection/BuilderExtensions/Core.cs b/src/IdentityServer/Configuration/DependencyInjection/BuilderExtensions/Core.cs
index 754ee2214..5bfb5d886 100644
--- a/src/IdentityServer/Configuration/DependencyInjection/BuilderExtensions/Core.cs
+++ b/src/IdentityServer/Configuration/DependencyInjection/BuilderExtensions/Core.cs
@@ -190,7 +190,13 @@ public static IIdentityServerBuilder AddCoreServices(this IIdentityServerBuilder
         builder.Services.AddTransient<IJwtRequestValidator, JwtRequestValidator>();
 
         builder.Services.AddTransient<ReturnUrlParser>();
+
+#pragma warning disable CS0618 // Type or member is obsolete
+        builder.Services.AddTransient<IIdentityServerTools, IdentityServerTools>();
+        // We've added the IIdentityServerTools interface to allow mocking, but keep the old
+        // direct class registration around if anyone has a dependency on it.
         builder.Services.AddTransient<IdentityServerTools>();
+#pragma warning restore CS0618 // Type or member is obsolete
 
         builder.Services.AddTransient<IReturnUrlParser, OidcReturnUrlParser>();
         builder.Services.AddScoped<IUserSession, DefaultUserSession>();
diff --git a/src/IdentityServer/Extensions/IdentityServerToolsExtensions.cs b/src/IdentityServer/Extensions/IdentityServerToolsExtensions.cs
index ec3db1d4b..4b841d117 100644
--- a/src/IdentityServer/Extensions/IdentityServerToolsExtensions.cs
+++ b/src/IdentityServer/Extensions/IdentityServerToolsExtensions.cs
@@ -13,9 +13,9 @@
 namespace Duende.IdentityServer;
 
 /// <summary>
-/// Extensions for IdentityServerTools
+/// Extensions for IIdentityServerTools
 /// </summary>
-public static class IdentityServerToolsExtensions
+public static class IIdentityServerToolsExtensions
 {
     /// <summary>
     /// Issues the client JWT.
@@ -27,7 +27,7 @@ public static class IdentityServerToolsExtensions
     /// <param name="audiences">The audiences.</param>
     /// <param name="additionalClaims">Additional claims</param>
     /// <returns></returns>
-    public static async Task<string> IssueClientJwtAsync(this IdentityServerTools tools,
+    public static async Task<string> IssueClientJwtAsync(this IIdentityServerTools tools,
         string clientId,
         int lifetime,
         IEnumerable<string> scopes = null,
diff --git a/src/IdentityServer/IdentityServerTools.cs b/src/IdentityServer/IdentityServerTools.cs
index 990267a31..a07a85b0e 100644
--- a/src/IdentityServer/IdentityServerTools.cs
+++ b/src/IdentityServer/IdentityServerTools.cs
@@ -15,29 +15,10 @@
 namespace Duende.IdentityServer;
 
 /// <summary>
-/// Class for useful helpers for interacting with IdentityServer
+/// Useful helpers for interacting with IdentityServer.
 /// </summary>
-public class IdentityServerTools
+public interface IIdentityServerTools
 {
-    internal readonly IServiceProvider ServiceProvider;
-    internal readonly IIssuerNameService IssuerNameService;
-    private readonly ITokenCreationService _tokenCreation;
-    private readonly IClock _clock;
-
-    /// <summary>
-    /// Initializes a new instance of the <see cref="IdentityServerTools" /> class.
-    /// </summary>
-    /// <param name="serviceProvider">The provider.</param>
-    /// <param name="issuerNameService">The issuer name service</param>
-    /// <param name="tokenCreation">The token creation service.</param>
-    /// <param name="clock">The clock.</param>
-    public IdentityServerTools(IServiceProvider serviceProvider, IIssuerNameService issuerNameService, ITokenCreationService tokenCreation, IClock clock)
-    {
-        ServiceProvider = serviceProvider;
-        IssuerNameService = issuerNameService;
-        _tokenCreation = tokenCreation;
-        _clock = clock;
-    }
 
     /// <summary>
     /// Issues a JWT.
@@ -46,11 +27,7 @@ public IdentityServerTools(IServiceProvider serviceProvider, IIssuerNameService
     /// <param name="claims">The claims.</param>
     /// <returns></returns>
     /// <exception cref="System.ArgumentNullException">claims</exception>
-    public virtual async Task<string> IssueJwtAsync(int lifetime, IEnumerable<Claim> claims)
-    {
-        var issuer = await IssuerNameService.GetCurrentAsync();
-        return await IssueJwtAsync(lifetime, issuer, claims);
-    }
+    Task<string> IssueJwtAsync(int lifetime, IEnumerable<Claim> claims);
 
     /// <summary>
     /// Issues a JWT.
@@ -60,11 +37,7 @@ public virtual async Task<string> IssueJwtAsync(int lifetime, IEnumerable<Claim>
     /// <param name="claims">The claims.</param>
     /// <returns></returns>
     /// <exception cref="System.ArgumentNullException">claims</exception>
-    public virtual Task<string> IssueJwtAsync(int lifetime, string issuer, IEnumerable<Claim> claims)
-    {
-        var tokenType = OidcConstants.TokenTypes.AccessToken;
-        return IssueJwtAsync(lifetime, issuer, tokenType, claims);
-    }
+    Task<string> IssueJwtAsync(int lifetime, string issuer, IEnumerable<Claim> claims);
 
     /// <summary>
     /// Issues a JWT.
@@ -75,6 +48,58 @@ public virtual Task<string> IssueJwtAsync(int lifetime, string issuer, IEnumerab
     /// <param name="claims">The claims.</param>
     /// <returns></returns>
     /// <exception cref="System.ArgumentNullException">claims</exception>
+    Task<string> IssueJwtAsync(int lifetime, string issuer, string tokenType, IEnumerable<Claim> claims);
+
+    /// <summary>
+    /// Service Provider to resolve services.
+    /// </summary>
+    public IServiceProvider ServiceProvider { get; }
+
+    /// <summary>
+    /// Issuer name service
+    /// </summary>
+    public IIssuerNameService IssuerNameService { get; }
+}
+
+/// <summary>
+/// Class for useful helpers for interacting with IdentityServer
+/// </summary>
+[Obsolete("Do not reference the IdentityServerTools implementation directly, use the IIdentityServerTools interface")]
+public class IdentityServerTools : IIdentityServerTools
+{
+    /// <inheritdoc/>
+    public IServiceProvider ServiceProvider { get; }
+
+    /// <inheritdoc/>
+    public IIssuerNameService IssuerNameService { get; }
+
+    private readonly ITokenCreationService _tokenCreation;
+    private readonly IClock _clock;
+
+    /// <inheritdoc/>
+    public IdentityServerTools(IServiceProvider serviceProvider, IIssuerNameService issuerNameService, ITokenCreationService tokenCreation, IClock clock)
+    {
+        ServiceProvider = serviceProvider;
+        IssuerNameService = issuerNameService;
+        _tokenCreation = tokenCreation;
+        _clock = clock;
+    }
+
+    /// <inheritdoc/>
+    public virtual async Task<string> IssueJwtAsync(int lifetime, IEnumerable<Claim> claims)
+    {
+        var issuer = await IssuerNameService.GetCurrentAsync();
+        return await IssueJwtAsync(lifetime, issuer, claims);
+    }
+
+    /// <inheritdoc/>
+    public virtual Task<string> IssueJwtAsync(int lifetime, string issuer, IEnumerable<Claim> claims)
+    {
+        var tokenType = OidcConstants.TokenTypes.AccessToken;
+        return IssueJwtAsync(lifetime, issuer, tokenType, claims);
+    }
+
+    /// <inheritdoc/>
     public virtual async Task<string> IssueJwtAsync(int lifetime, string issuer, string tokenType, IEnumerable<Claim> claims)
     {
         if (String.IsNullOrWhiteSpace(issuer)) throw new ArgumentNullException(nameof(issuer));
diff --git a/src/IdentityServer/Services/Default/DefaultBackChannelLogoutService.cs b/src/IdentityServer/Services/Default/DefaultBackChannelLogoutService.cs
index c1977eeca..b80fc0034 100644
--- a/src/IdentityServer/Services/Default/DefaultBackChannelLogoutService.cs
+++ b/src/IdentityServer/Services/Default/DefaultBackChannelLogoutService.cs
@@ -31,7 +31,7 @@ public class DefaultBackChannelLogoutService : IBackChannelLogoutService
     /// <summary>
     /// The IdentityServerTools used to create and the JWT.
     /// </summary>
-    protected IdentityServerTools Tools { get; }
+    protected IIdentityServerTools Tools { get; }
 
     /// <summary>
     /// The ILogoutNotificationService to build the back channel logout requests.
@@ -58,7 +58,7 @@ public class DefaultBackChannelLogoutService : IBackChannelLogoutService
     /// <param name="logger"></param>
     public DefaultBackChannelLogoutService(
         IClock clock,
-        IdentityServerTools tools,
+        IIdentityServerTools tools,
         ILogoutNotificationService logoutNotificationService,
         IBackChannelLogoutHttpClient backChannelLogoutHttpClient,
         ILogger<IBackChannelLogoutService> logger)
diff --git a/test/IdentityServer.IntegrationTests/Endpoints/Ciba/CibaTests.cs b/test/IdentityServer.IntegrationTests/Endpoints/Ciba/CibaTests.cs
index 8e9062ef9..b7f087798 100644
--- a/test/IdentityServer.IntegrationTests/Endpoints/Ciba/CibaTests.cs
+++ b/test/IdentityServer.IntegrationTests/Endpoints/Ciba/CibaTests.cs
@@ -1428,7 +1428,7 @@ public async Task valid_id_token_hint_should_return_success()
     {
         _mockPipeline.Options.IssuerUri = IdentityServerPipeline.BaseUrl;
 
-        var tokenService = _mockPipeline.Resolve<IdentityServerTools>();
+        var tokenService = _mockPipeline.Resolve<IIdentityServerTools>();
         var id_token = await tokenService.IssueJwtAsync(600, new Claim[] {
             new Claim("sub", _user.SubjectId),
             new Claim("aud", _cibaClient.ClientId),