Why Doesn't the Client.cs have a method to get the access token?

[dgwaldo]

Looks like perhaps an oversite? At least feels that way. Code gets the access token, but it's not exposed through the API.

[AaronAtDuo]

@dgwaldo Our OIDC flow for Duo 2fa is a little unorthodox, and we don't use access tokens, we only use Id tokens. The Id token is the return value of the ExchangeAuthorizationCodeFor2faResult Client method.

Access tokens are more suited for a OIDC-based primary authentication / access control provider, which is not what Duo is intending to be in this case.

[dgwaldo]

We need to setup auth with duo, authenticate an MVC app, at which point we'd like to have an access token to call our api's. Also, we have a React App that lives within the MVC app. Currently, we use cookie auth to tie everything together. From your documentation not at all sure how it supposed to work? I've used Auth0 before, and their documentation is very clear for this type of scenario.

Any hints would be much appreciated.

https://auth0.com/blog/id-token-access-token-what-is-the-difference/

Are we basically on our own after authenticating to secure our API's with an access token?

[AaronAtDuo]

@dgwaldo I don't know exactly how your application works, so take this with a grain of salt, but my first thoughts are:

If you want an access token as a result of authentication, I think having your primary authenticator create such a token is the way to go. If you relied on an access token issued by Duo, that token could conceivably work even after logging out / expiring out of the primary authentication, which seems like a security risk to me.

You allude to 'calling APIs' with the access token? Is this intended for an automated API client? If so, I would avoid using Duo in the authentication flow at all, since Duo is intended for use in human logins, where the end user can interact with the Duo prompt.

[cvolny]

@dgwaldo hey just wanted to chime in and say that Duo CloudSSO platform is building out support for an OIDC / OAuth2 Identity and Authorization Provider, which is what you need here.

Typically you’d rely on an OIDC/OAuth Identity Provider (OP) to issue, validate, and revoke access tokens so that you can leverage them to grant access to APIs and assets on resource servers (RS). Although our MFA integration does borrow heavily from OAuth2 to integrate with client apps, it is not a fully realized OP and you should not rely on those internal mechanisms as if it is one (see Aaron’s note about token revocation and logout).

Since you’re already a Duo MFA customer, I’d invite you to reach out to your account manager (if you have one) or to Duo support (Duo Customer Support) to join our Private or Public Previews or to stay apprised as we roll this feature out to General Availability.

[dgwaldo]

@cvolny, @AaronAtDuo Thanks, to you both for getting back to me. @cvolny You're exactly right as to what I'm after. Our company choose to use Duo for several clever things it can currently do. I've implemented Auth0's login flows several times. Was just expecting similar OAuth API support out of the box from Duo. Glad to hear that it's being added. For now, I'll just make my own token endpoint on the main application for the API's in our microservices to call. This will all be post auth with Duo and entirely separate. Thanks!

[AaronAtDuo]

@cvolny Thanks for chiming in, I was totally on the wrong track! @dgwaldo I'll close this issue out since it sounds like our SSO+OIDC solution is what you're looking for.

Thanks for using Duo!