Open mkane91301 opened 1 year ago
Tagging subscribers to this area: @dotnet/ncl See info in area-owners.md if you want to be subscribed.
Author: | mkane91301 |
---|---|
Assignees: | - |
Labels: | `area-System.Net.Http` |
Milestone: | - |
Tagging subscribers to this area: @dotnet/ncl See info in area-owners.md if you want to be subscribed.
Author: | mkane91301 |
---|---|
Assignees: | - |
Labels: | `untriaged`, `area-Extensions-HttpClientFactory` |
Milestone: | - |
Triage: we are not sure it is possible to create universal abstractions, and even if we do, we don't have any control over third-party identity providers to make sure they implement it.
We might investigate some approaches to make it easier in general in the future, if there would be enough customer ask.
I'd file another issue for this, with the specifics as well. There's more detail needed here. It's unclear to me if you're trying to set tokens in the request or do something more complex, (like an oauth2 auth flow, that supports getting the token, storing the refresh token and renewing it etc).
Originally posted by @davidfowl in https://github.com/dotnet/aspnetcore/issues/47461#issuecomment-1486204571
Here's the scenario: you are exposing a REST API secured with OAuth tokens provided by a 3rd-party identity provider, such as Okta or the like. You need to provide a .NET client SDK that will use IHttpClientBuilder to register a strongly-typed client for your API and it will also inject the needed OAuth token, taking care of retrieving it from the identity server and caching it.
Right now, you have to hope that your identity provider has an SDK that will handle the token injection (narrator voice: it doesn't) and even if it does, if you wanted to change identity providers, you would have to rewrite everything.
What would be helpful would be a standard way in Microsoft.Extensions.Http that would let you do something like
.AddOAuthProvider<OktaClientProvider>(configuration)
and each identity provider would make a NuGet package with a class that implements some interface defined in something like Microsoft.Extensions.Http.OAuth, but the configuration would be defined by Microsoft and wouldn't change if you swapped out a different OAuth client provider. Also, the caching of the tokens would be in the common implementation, not the implementation that is specific to each identity provider.