aspnet-core | api-management | identityserver

ASP.NET Core - OAuth 2.0 Client Access Token Management

OAuth 2.0 client access token management in an ASP.NET Core application

Abhith Rajan
Abhith RajanJanuary 09, 2022 · 4 min read · Last Updated:
ASP.NET Core - OAuth 2.0 Client Access Token Management

In a microservice world, the machine (microservice A) to machine (microservice B) communications can be secured using an OAuth 2.0 compatible token service, IdentityServer in our case. i.e To successfully call microservice B, microservice A needs to get an access token first via client credentials grant type from the IdentityServer with the right scope for the operation.

  • microservice A calls IdentityServer to get an access token.
  • microservice A then calls microservice B with the access token in the authorization header (bearer token).
  • microservice B validates the access token, responds to microservice A with a valid response.

The above steps are fine for a single call, but in case of multiple calls from A to B, A doesn’t need to get an IdentityServer token every time since each token has its validity, so basically, A can reuse the token until it expires.

For the token reusing, you don’t need to implement the caching and refreshing token logic anywhere since some good people who are maintaining IdentityModel.AspNetCore already done that. All we need to do is set up it, and consume it.

The library will take care of the following,

  • caching abstraction for access tokens
  • automatic renewal of expired access tokens
  • token lifetime automation for HttpClient

let’s jump into the setup. Following are our assumptions,

  • microservice B has endpoints,
    • POST /orders and it requires IdentityServer token with orders.write scope to create new orders,
    • and to fetch the orders GET /orders endpoint, the scope for that one is orders.read.
  • microservice A has valid client credentials configured on the IdentityServer with the above scopes added to the allowed scopes. i.e microservice A is allowed to call the microservice B.

So let’s configure microservice A,

  • Install IdentityModel.AspNetCore package

In the Startup.cs > ConfigureServices

// Setup token management service
services.AddAccessTokenManagement(options =>
{
  options.Client.Clients.Add(AppConsts.StsClientName, new ClientCredentialsTokenRequest
  {
    Address = $"{Configuration.GetValue<string>("Authentication:Sts:BaseUrl")}/connect/token", // Token service (IdentityServer) base URL
    ClientId = Configuration.GetValue<string>("Authentication:Sts:ClientId"),
    ClientSecret = Configuration.GetValue<string>("Authentication:Sts:ClientSecret"),
    Scope = $"{AppConsts.OrdersWriteScope} {AppConsts.OrdersReadScope}" // Any number of scopes, space separated
  });
});

// Adds a named HTTP client for the factory that automatically sends the client access token
services.AddClientAccessTokenClient(AppConsts.StsClientName, AppConsts.StsClientName, client => client.BaseAddress = new Uri(Configuration.GetValue<string>("ApiBaseUrl"))); // microservice B base URL

Here we setup the token management service and a named HttpClient that uses the same. Also you can observe, we moved the static string params to a AppConsts.cs file,

public class AppConsts
{
    public const string OrdersWriteScope = "orders.write";
    public static string OrdersReadScope = "orders.read";
    public static string StsClientName = "microservice_a_api_client";
}

And the configurations like client credentials, token service endpoint, and rest are kept in the appsettings.json or somewhere more private like Azure App Configuration, keyvault, and loaded to the aspnetcore configurations.

  "ApiBaseUrl": "https://microservice-b.com",
  "Authentication": {
    "Sts": {
      "BaseUrl": "https://my-identityserver.com",
      "ClientId": "microservice_a_api",
      "ClientSecret": ""
    }
  },

Configuration is done, now let’s consume the HttpClient. Here I’m using Flurl to make the HTTP request, if you prefer direct HttpClient usage, you can do that way. You don’t need to do anything special to get the access token since it is already taken care of.

using Flurl.Http;

public class GetOrdersQueryHandler : IRequestHandler<SomeInput, SomeOutput>
{
    private readonly IFlurlClient _flurlClient;

    public GetOrdersQueryHandler(IHttpClientFactory httpClientFactory)
    {
        var httpClient = httpClientFactory.CreateClient(AppConsts.StsClientName);
        _flurlClient = new FlurlClient(httpClient);

    }

    public async Task<SomeOutput> Handle(SomeInput request, CancellationToken cancellationToken)
    {
        return await _flurlClient
                .Request($"/orders")
                .GetJsonAsync<SomeOutput>(cancellationToken);
    }
}

As you can see, we use the named httpClient, and that client is already configured to have the access token with the scopes. That’s it. You can use the same way to call the create order endpoint since the client has an access token with both scopes.

Additional Resources

aspnet-coreapi-managementidentityserver

This page is open source. Noticed a typo? Or something unclear?
Improve this page on GitHub

Abhith Rajan

Written byAbhith Rajan
Abhith Rajan is a software engineer by day and a full-stack developer by night. He's coding for almost a decade now. He codes 🧑‍💻, write ✍️, learn 📖 and advocate 👍.
Connect

Webmentions

Is this page helpful?

Buy me a coffee

Related ArticlesView All

ASP.NET Core - Using Mutliple Authentication Schemes
ASP.NET Core - Using Mutliple Authentication Schemes
July 11, 2020 · 4 min read

One endpoint, authorize using Identity Server or using a custom authentication handler.

abhith rajan
by Abhith Rajan
aspnet-core
Serilog - Console Sink Themes
Serilog - Console Sink Themes
June 20, 2020 · 1 min read

Curious about how each theme in Serilog.Sinks.Console looks like? Check them here.

abhith rajan
by Abhith Rajan
serilogaspnet-corelogging
Azure DevOps Build - Could not locate the assembly
Azure DevOps Build - Could not locate the assembly
January 23, 2020 · 1 min read

.NET Core build failing for Azure DevOps? Check if there is any assembly reference and replace it with proper NuGet package.

abhith rajan
by Abhith Rajan
azure-devopsaspnet-coredotnet-core
.NET Core API Gateway Ocelot - Logging HTTP Requests & Response Including Headers & Body
.NET Core API Gateway Ocelot - Logging HTTP Requests & Response Including Headers & Body
December 26, 2019 · 5 min read

Setup Ocelot API Gateway in ASP.NET Core and configure HTTP request and response logging including headers and body.

abhith rajan
by Abhith Rajan
aspnet-coreapiapi-management
ASP.NET Core - Return 500 (Internal Server Error) or any other Status Code from API
ASP.NET Core - Return 500 (Internal Server Error) or any other Status Code from API
September 16, 2019 · 2 min read

A good REST API will respond with proper HTTP status codes. In ASP.NET Core, returning status code is easier than you might think.

abhith rajan
by Abhith Rajan
aspnet-coreapi
Docker - SQL Error on ASP.NET Core Alpine
Docker - SQL Error on ASP.NET Core Alpine
May 07, 2019 · 2 min read

Having trouble to connect to a remote SQL server from an ASP.NET Core app running on top of Alpine dotnet on a linux container?

abhith rajan
by Abhith Rajan
aspnet-coredockersql-server

Related VideosView All

Why I DON'T use MediatR in ASP.NET Core

aspnet-core

Don't Use AutoMapper in C#! Do THIS Instead!

c-sharpaspnet-core

Do you need IdentityServer?

identityserverdotnet

Related StoriesView All

ASP.NET Core
How To Easily Create PDF Documents in ASP.NET Core
milanjovanovic.tech · Dec 08, 2023

Reporting is essential for business applications like e-commerce, shipping, fintech, etc. One of the most popular document formats for reporting purposes is PDF. Today I want to show you a few interesting ways to generate PDF files in .NET.

aspnet-core
ASP.NET Core
Alba for Effective ASP.Net Core Integration Testing – The Shade Tree Developer
jeremydmiller.com · Dec 08, 2022

Alba is a small library that enables easy integration testing of ASP.Net Core routes completely in process within an NUnit/xUnit.Net/MSTest project.

aspnet-coretesting
ASP.NET Core
Next.js meets ASP .NET Core — a story of performance and love at long tail | by David Nissimoff | Medium
medium.com · Aug 31, 2022

If you are a frontend developer, chances are you have heard of or you actively use Next.js. And if you are a backend developer (or not), surely Node.js more than rings a bell. Afterall, if one wants…

aspnet-corereact
ASP.NET Core
ASP.NET Core Display Description Tag Helper | Khalid Abuhakmeh
khalidabuhakmeh.com · Dec 22, 2022

An ASP.NET Core Tag Helper to Use the DisplayAttribute Description for HTML UI elements

aspnet-core
ASP.NET Core
Contextual Feature Filters in ASP.NET Core - Code Rethinked
coderethinked.com · Nov 08, 2022

Contextual feature filters are helpful and allow you to enable/disable a feature based on the context supplied.

aspnet-core
ASP.NET Core
How to Register Services for Different Environments in .NET - Code Maze
code-maze.com · Aug 10, 2022

In this article, we are going to show you how to register services for different environments in .NET application.

aspnet-core

Related Tools & ServicesView All

jwt.io

JWT.IO

JSON Web Token (JWT) is a compact URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS).
identityserver
flurl.dev

Flurl

Flurl is a modern, fluent, asynchronous, testable, portable, buzzword-laden URL builder and HTTP client library for .NET.
apiaspnet-core