Token flow best practices between user and internal services

hosamyousof commented 1 month ago

Which version of Duende IdentityServer are you using? v7 Which version of .NET are you using? .net8 Describe the issue

Let's say I have the following architecture:

The user requests user access token from the IdentityServer through the Web App and
Web App needs to call the secured API 1 Service through the API Gateway by passing the user token
API 2 Service needs to call the secured API 2 Service by passing the same user token

Is it good practice to forward the user access token/identity between the internal services, and how do we achieve that?

If not, what is the best practice for token flow between internal services in an architecture like ours?

Identity Server Token Flow drawio (1)

RolandGuijt commented 1 month ago

There are two options here:

Frontend requests an access token for gateway, API 1 and 2. Gateway validates and forwards the token. (APIs have to validate too). Main downside: when token falls in the wrong hands, attacker can access all resources. How this is achieved depends on what the gateway is: is it an ASP.NET Core application?
Frontend requests an access token for the gateway. Gateway exchanges the token for one that is specific for the targeted API. This can be done using a custom grant. Please see the example here.

RolandGuijt commented 3 weeks ago

@hosamyousof Did my answer help you out? Would you like to add anything to this issue? If not I'd like to close it.

RolandGuijt commented 1 week ago

Closing for now but feel free reopen and add a comment if you feel the need.

DuendeSoftware / Support