Consider Extension Point for Token Acquisition

[josephdecock]

Consider adding a service in DI that abstracts how the BFF gets the tokens that it forwards to remote APIs. This would serve as an extension point that would allow a custom implementation to do complex things, e.g., token exchange before making the API call.

See https://github.com/DuendeSoftware/Support/issues/301.

[Sen-Gupta]

I have hit this issue as well. Blazor WASM hosted, .Net 7.

We have a blazor hosted app, on www.mysite.com The client connects to a hosted signalr application, signalr.mysite.com.

The client needs to connect SignalR client and it needs access token to build the connection.

We are getting IAccessTokerProvider as null in Dependency Injection.

hubConnection = new HubConnectionBuilder() .WithUrl(NavigationManager.ToAbsoluteUri("/messageshub"), options => { options.AccessTokenProvider = async () => { var accessTokenResult = await tokenProvider.RequestAccessToken(); accessTokenResult.TryGetToken(out var accessToken); return accessToken.Value; }; }) .Build();

Is there a way, we can get token while using Bff?

[Sen-Gupta]

Does this help?

https://github.com/dotnet/aspnetcore/blob/main/src/Components/WebAssembly/WebAssembly.Authentication/src/WebAssemblyAuthenticationServiceCollectionExtensions.cs#L38-L57

[leastprivilege]

Two things come to mind

• token exchange
• getting audience constrained tokens if resource isolation is being used

[brockallen]

Two things come to mind token exchange getting audience constrained tokens if resource isolation is being used

Hmm, and would DPoP need to be a concern here? Looking at the code, this would not work today it seems. So we can release this as-is now, and then make DPoP work down the road, or add it now.