Token flow best practices between user and internal services

[hosamyousof]

Which version of Duende IdentityServer are you using? v7 Which version of .NET are you using? .net8 Describe the issue

Let's say I have the following architecture:

• The user requests user access token from the IdentityServer through the Web App and
• Web App needs to call the secured API 1 Service through the API Gateway by passing the user token
• API 2 Service needs to call the secured API 2 Service by passing the same user token

Is it good practice to forward the user access token/identity between the internal services, and how do we achieve that?

If not, what is the best practice for token flow between internal services in an architecture like ours?

[RolandGuijt]

There are two options here:

1. Frontend requests an access token for gateway, API 1 and 2. Gateway validates and forwards the token. (APIs have to validate too). Main downside: when token falls in the wrong hands, attacker can access all resources. How this is achieved depends on what the gateway is: is it an ASP.NET Core application?

2. Frontend requests an access token for the gateway. Gateway exchanges the token for one that is specific for the targeted API. This can be done using a custom grant. Please see the example here.

[RolandGuijt]

@hosamyousof Did my answer help you out? Would you like to add anything to this issue? If not I'd like to close it.

[RolandGuijt]

Closing for now but feel free reopen and add a comment if you feel the need.