C
C#2y ago
N8

❔ ASP.NET Core - How to handle external authentication access tokens?

Hi all, ASP.NET Core beginner here. Where do I put external authentication access tokens after I have retrieved them? Does anyone have any links to documentation that explains how to do this well? I'm struggling to find any good documentation for beginners. I'm working on a Controller that needs to make HTTP requests to an external REST API. I'm able to make requests to the external API to get access tokens using a client ID/secret. I can also then use those access tokens to make requests to the external API. My problem now is I don't know how I'm supposed to securely store them and how I can properly re-use them without needing to request a new token every time I make a request.
21 Replies
Pobiega
Pobiega2y ago
You'd likely store it in application memory, perhaps in some kind of cache system to help with renewal assuming this token isnt related to a specific user in your system that is
N8
N8OP2y ago
It's not related to a specific user. I'm trying to utilize the Client Credentials flow
Pobiega
Pobiega2y ago
sure
N8
N8OP2y ago
Would you have any examples of a cache system design I could use for "inspiration"? Or are there any NuGet packages that handle this so I don't need to reinvent the wheel?
Pobiega
Pobiega2y ago
IMemoryCache should be enough it supports expiration and GetOrCreate if the external auth system supports renewal tokens, you might need to write your own or find a nuget since that makes it slightly more complicated
N8
N8OP2y ago
Yeah, it does support renewal tokens... :/
Unknown User
Unknown User2y ago
Message Not Public
Sign In & Join Server To View
N8
N8OP2y ago
Yeah, that would make sense Is it OK if I ask a few follow-up questions to confirm my understanding of your explanation? (I'm still very new to ASP.NET Core and Dependency Injection in general, so I may ask some silly questions)
Pobiega
Pobiega2y ago
of course keep using this thread. here is a basic boilerplate implementation of the factory 
public class ExternalApiTokenFactory
{
    private readonly IOptions<ExternalApiCredentialsOptions> _options;
    private Token? _token;

    public ExternalApiTokenFactory(IOptions<ExternalApiCredentialsOptions> options)
    {
        _options = options;
        _token = null;
    }

    public async Task<string> GetToken()
    {
        if (_token == null)
        {
            _token = await RequestNewToken();
            return _token.AccessToken;
        }

        if (_token.IsAboutToExpire(_options.Value.RenewalInterval))
        {
            _token = await RenewToken(_token);
        }

        return _token.AccessToken;
    }

    private async Task<Token> RenewToken(Token token)
    {
        throw new NotImplementedException();
    }

    private async Task<Token> RequestNewToken()
    {
        throw new NotImplementedException();
    }
}
public class ExternalApiTokenFactory
{
    private readonly IOptions<ExternalApiCredentialsOptions> _options;
    private Token? _token;

    public ExternalApiTokenFactory(IOptions<ExternalApiCredentialsOptions> options)
    {
        _options = options;
        _token = null;
    }

    public async Task<string> GetToken()
    {
        if (_token == null)
        {
            _token = await RequestNewToken();
            return _token.AccessToken;
        }

        if (_token.IsAboutToExpire(_options.Value.RenewalInterval))
        {
            _token = await RenewToken(_token);
        }

        return _token.AccessToken;
    }

    private async Task<Token> RenewToken(Token token)
    {
        throw new NotImplementedException();
    }

    private async Task<Token> RequestNewToken()
    {
        throw new NotImplementedException();
    }
}
you might want to add locks and stuff here
N8
N8OP2y ago
From what I understand: 1. I need to create a Token Factory to handle specific functionalities like retrieving new tokens and returning it, or returning existing tokens that haven't expired, or renewing an existing token 2. I then make an HttpMessageHandler that injects the token factory. That HttpMessageHandler will make requests to the external API and will use methods from the token factory whenever a token is needed? 3. I use that HttpMessageHandler in my Controller whenever I need to make calls to the external API?
Pobiega
Pobiega2y ago
since if this is used from a webapi, you might get several requests hitting this while its trying to renew/get a token.
N8
N8OP2y ago
Is that somewhat correct? Thank you, this is very useful
Pobiega
Pobiega2y ago
1 and 2 are correct 3 should be " I use that typed HttpClient that uses that HttpMessageHandler ..." Look into IHttpClientFactory if you haven't already, especially "Typed http clients"
Pobiega
Pobiega2y ago
N8
N8OP2y ago
Okay, great. Thank you both. This is all very helpful Last question: do you both have any recommendations for any good courses for ASP.NET Core? I'm a newly grad with very limited experience in Java Spring, so I can make some connections, but overall it's new to me and I'd love to take the time to learn the in's and out's of this. I'm open to Udemy course recommendations, textbook recommendations, etc
Pobiega
Pobiega2y ago
Nope, sorry. The downside of already knowing it is I can't recommend ways to learn it 😛
N8
N8OP2y ago
No worries lol. Thank you both again
Pobiega
Pobiega2y ago
Its worth mentioning that none of this (TokenFactory, typed httpclient, HttpClientFactory etc) is related to ASP.NET as such its just general .NET 🙂
Unknown User
Unknown User2y ago
Message Not Public
Sign In & Join Server To View
Pobiega
Pobiega2y ago
Yeah, true. TokenFactory would be an entirely custom class.
Accord
Accord2y ago
Was this issue resolved? If so, run /close - otherwise I will mark this as stale and this post will be archived until there is new activity.
Want results from more Discord servers?
Add your server