RolandGuijt
commented
1 month ago If I understand correctly you want to automatically refresh/renew the token on API1 that receives the access token before forwarding it to API2. That isn't a job for AccessTokenManagement.
There are a couple of ways to handle this:
- Just forward the token and leave the refreshing to the frontend
- Create an extension grant/token exchange that exchanges the token for API1 for a token for API2. Read more about this here.
- Use Client Credentials flow and let API1 request a dedicated token for API2 using that. The downside of that is that API2 won't get user scopes.
In the last two cases the frontend isn't concerned about getting scopes for API2 which is illogical anyway because it doesn't access it directly.
The advantage when using the Client Credentials flow option is that you can still use token management by creating "smart HttpClients" that can cache the token and automatically request a new one if it expires. Please see the documentation here to see how that works.
sliekens
I have protected an API with the JWT bearer middleware: https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.JwtBearer/8.0.6
Can I now use Duende.AccessTokenManagement for delegation flows, where I need to forward the access token from the request to another API? The documentation only discusses OpenIdConnect middleware, which does not fit my use case (Angular SPA + Web API).
Thank you.
Which version of Duende.AccessTokenManagement are you using? 2.1.2
Which version of .NET are you using? 8.0