IdentityServer4 External Authentication Tokens

2
votes

I have an IdentityServer4 set up to authenticate using google, and thats working great, including storing the tokens in AspNetUserTokens.

Additionally I have a separate service that needs to be able to use the access and refresh tokens to call google's API on behalf of the user later, when they are not logged in.

I'm not understanding how to request the tokens from identityserver, and keep them up to date(swap out the access token and expiration date). I can do this directly by adding an endpoint to identityserver to request the tokens, but then the external access token in IdentityServer would never be updated.

1
c#asp.net-identityidentityserver4
If I understand correctly, you want to authenticate the API using a non-interactive flow against IdentityServer. Perhaps with Client Credentials flow? I'm not sure if you should reveal tokens from Google to the API. Maybe you should keep them in IdentityServer and refresh them as needed - Andres M
I've already authenticated the user using an interactive flow, and they've granted the application permissions. I want to keep them in identityserver, but need to use the access/refresh tokens in the separate service to do work on behalf of the user - ChickenMilkBomb
Yes. I just mean, you have to authenticate the API somehow, since it needs to run after the user has logged out. So maybe you could do client credentials and request a scope that returns the tokens as claims to the API. Each time you authenticate identity server could return an up to date token. What do you think? - Andres M
Its definitely a possibility. I'm reading on Extension Grants, which seems like what I'm looking for, but - I'm a n00b to identityserver, so there's that - ChickenMilkBomb
Would you be able to post your configuration setup for ID4 and how you have configured the resources to date? Always helps when there is some code to troubleshoot. - Aeseir

1 Answers

-2
votes

Your best bet was to use Hybrid Flow where the refresh token is stored in your service DB directly. IDS is just a proxy here and is not responsible for storing refresh token not issued by itself.