search

dotnet / runtime

.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps.
https://docs.microsoft.com/dotnet/core/
MIT License
15.17k stars 4.72k forks source link

Standardize way to add OAuth tokens via IHttpClientBuilder #84263

Open mkane91301 opened 1 year ago

mkane91301 commented 1 year ago

Similarly on the client side, there is no standard way to take an IHttpClientBuilder and add an OAuth bearer token to its calls from such-and-such a vendor's identity server according to some configuration. I wrote much more code than I can snip here to create a standard way for our shop. I'd open source it if my company allowed, but this should already be part of Microsoft.Extensions anyway.

I'd file another issue for this, with the specifics as well. There's more detail needed here. It's unclear to me if you're trying to set tokens in the request or do something more complex, (like an oauth2 auth flow, that supports getting the token, storing the refresh token and renewing it etc).

Originally posted by @davidfowl in https://github.com/dotnet/aspnetcore/issues/47461#issuecomment-1486204571

Here's the scenario: you are exposing a REST API secured with OAuth tokens provided by a 3rd-party identity provider, such as Okta or the like. You need to provide a .NET client SDK that will use IHttpClientBuilder to register a strongly-typed client for your API and it will also inject the needed OAuth token, taking care of retrieving it from the identity server and caching it.

Right now, you have to hope that your identity provider has an SDK that will handle the token injection (narrator voice: it doesn't) and even if it does, if you wanted to change identity providers, you would have to rewrite everything.

What would be helpful would be a standard way in Microsoft.Extensions.Http that would let you do something like .AddOAuthProvider<OktaClientProvider>(configuration) and each identity provider would make a NuGet package with a class that implements some interface defined in something like Microsoft.Extensions.Http.OAuth, but the configuration would be defined by Microsoft and wouldn't change if you swapped out a different OAuth client provider. Also, the caching of the tokens would be in the common implementation, not the implementation that is specific to each identity provider.

ghost commented 1 year ago

Tagging subscribers to this area: @dotnet/ncl See info in area-owners.md if you want to be subscribed.

Issue Details
> Similarly on the client side, there is no standard way to take an IHttpClientBuilder and add an OAuth bearer token to its calls from such-and-such a vendor's identity server according to some configuration. I wrote much more code than I can snip here to create a standard way for our shop. I'd open source it if my company allowed, but this should already be part of Microsoft.Extensions anyway. I'd file another issue for this, with the specifics as well. There's more detail needed here. It's unclear to me if you're trying to set tokens in the request or do something more complex, (like an oauth2 auth flow, that supports getting the token, storing the refresh token and renewing it etc). _Originally posted by @davidfowl in https://github.com/dotnet/aspnetcore/issues/47461#issuecomment-1486204571_
Author: mkane91301
Assignees: -
Labels: `area-System.Net.Http`
Milestone: -
ghost commented 1 year ago

Tagging subscribers to this area: @dotnet/ncl See info in area-owners.md if you want to be subscribed.

Issue Details
> Similarly on the client side, there is no standard way to take an IHttpClientBuilder and add an OAuth bearer token to its calls from such-and-such a vendor's identity server according to some configuration. I wrote much more code than I can snip here to create a standard way for our shop. I'd open source it if my company allowed, but this should already be part of Microsoft.Extensions anyway. I'd file another issue for this, with the specifics as well. There's more detail needed here. It's unclear to me if you're trying to set tokens in the request or do something more complex, (like an oauth2 auth flow, that supports getting the token, storing the refresh token and renewing it etc). _Originally posted by @davidfowl in https://github.com/dotnet/aspnetcore/issues/47461#issuecomment-1486204571_ Here's the scenario: you are exposing a REST API secured with OAuth tokens provided by a 3rd-party identity provider, such as Okta or the like. You need to provide a .NET client SDK that will use IHttpClientBuilder to register a strongly-typed client for your API and it will also inject the needed OAuth token, taking care of retrieving it from the identity server and caching it. Right now, you have to hope that your identity provider has an SDK that will handle the token injection (narrator voice: it doesn't) and even if it does, if you wanted to change identity providers, you would have to rewrite everything. What would be helpful would be a standard way in Microsoft.Extensions.Http that would let you do something like `.AddOAuthProvider(configuration)` and each identity provider would make a NuGet package with a class that implements some interface defined in something like Microsoft.Extensions.Http.OAuth, but the configuration would be defined by Microsoft and wouldn't change if you swapped out a different OAuth client provider. Also, the caching of the tokens would be in the common implementation, not the implementation that is specific to each identity provider.
Author: mkane91301
Assignees: -
Labels: `untriaged`, `area-Extensions-HttpClientFactory`
Milestone: -
CarnaViire commented 1 year ago

Triage: we are not sure it is possible to create universal abstractions, and even if we do, we don't have any control over third-party identity providers to make sure they implement it.

We might investigate some approaches to make it easier in general in the future, if there would be enough customer ask.