Consider Extension Point for Token Acquisition

[josephdecock]

Consider adding a service in DI that abstracts how the BFF gets the tokens that it forwards to remote APIs. This would serve as an extension point that would allow a custom implementation to do complex things, e.g., token exchange before making the API call.

See DuendeSoftware/Support#301.

[Sen-Gupta]

I have hit this issue as well. Blazor WASM hosted, .Net 7.

We have a blazor hosted app, on www.mysite.com
The client connects to a hosted signalr application, signalr.mysite.com.

The client needs to connect SignalR client and it needs access token to build the connection.

We are getting IAccessTokerProvider as null in Dependency Injection.

hubConnection = new HubConnectionBuilder()
.WithUrl(NavigationManager.ToAbsoluteUri("/messageshub"), options =>
{
options.AccessTokenProvider = async () =>
{
var accessTokenResult = await tokenProvider.RequestAccessToken();
accessTokenResult.TryGetToken(out var accessToken);
return accessToken.Value;
};
})
.Build();

Is there a way, we can get token while using Bff?

[Sen-Gupta]

Does this help?

https://github.com/dotnet/aspnetcore/blob/main/src/Components/WebAssembly/WebAssembly.Authentication/src/WebAssemblyAuthenticationServiceCollectionExtensions.cs#L38-L57

[leastprivilege]

Two things come to mind

• token exchange
• getting audience constrained tokens if resource isolation is being used

[brockallen]

Two things come to mind
token exchange
getting audience constrained tokens if resource isolation is being used

Hmm, and would DPoP need to be a concern here? Looking at the code, this would not work today it seems. So we can release this as-is now, and then make DPoP work down the road, or add it now.