3

I have a ASP.NET Core Web API application, and this web API needs to call another 3rd-party API which is authenticated using OAuth2. It is required to invoke the /token endpoint of this 3rd-party API by passing client_id and client_secret, and the grant type is client_credentials. And then make a subsequent request using the bearer token received to retrieve data from the 3rd-party API .

Based on my research this requirement can be implemented using HttpClient, and call 3rd-party API from the .NET Core Web API controller (or ideally in a service class accessed by the controller).

My question is is there another way/better approach to achieve this requirement? One concern I have in above approach is it will call the 3rd-party /token endpoint for each request. Is it possible to do some implementation in Startup.cs class?

Improve this question
1
  • I recommends read this article Which OAuth2 0 flow should I use first. After you choose the most appropriate flow for your needs, you could create a class ThirdPartyClient that extends from HttpClient and append the logic for the authentication flow you choose. With this, you would have a client to consume the 3rd-party API that you could inject wherever you need. NOTE: In the Startup.cs only use it to configure the DI and necessary services. Commented Jun 18, 2021 at 18:30

1 Answer 1

Reset to default
4

Take a look at IdentityModel. It provides extension methods for HttpClient to handle client_credentials (and other) OAuth flow, caches the token (until it expires), so you don't hammer /token endpoint at every request and refreshes the token when needed.

You need to configure it in your Startup class, or implement ITokenClientConfigurationService if you need configure HttpClients dynamically.

services.AddAccessTokenManagement(options =>
{
    options.Client.Clients.Add("identityserver", new ClientCredentialsTokenRequest
    {
        Address = "https://demo.identityserver.io/connect/token",
        ClientId = "m2m.short",
        ClientSecret = "secret",
        Scope = "api" // optional
    });
});
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Thank you @abdusco. If we do this, will the 1st token be retrieved when the application starts, or will it be retrieved on demand only, when it is actually required to call the 3rd-party api?
It's fetches tokens on-demand. You could attach a IHostedService and prefetch a token if that's important.
I was able to access the API using this. But when I expand the httpClient instance return from HttpClientFactory, the Authorization header is null. I expected the bearer token to be available in Authorization header. So how this is working, where is the token set in the header?
It's adding a DelegatingHandler to HttpClients which works like a middleware. It intercepts the request you send, adds / inspects the response to see if it needs to refresh the token github.com/IdentityModel/IdentityModel.AspNetCore/blob/…
Is there a way to use this altogether with an username and password? I need to provide that also for the auth request.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.