1

I have an IdentityServer4 set up to authenticate using google, and thats working great, including storing the tokens in AspNetUserTokens.

Additionally I have a separate service that needs to be able to use the access and refresh tokens to call google's API on behalf of the user later, when they are not logged in.

I'm not understanding how to request the tokens from identityserver, and keep them up to date(swap out the access token and expiration date). I can do this directly by adding an endpoint to identityserver to request the tokens, but then the external access token in IdentityServer would never be updated.

ChickenMilkBomb
  • 939
  • 6
  • 18
  • If I understand correctly, you want to authenticate the API using a non-interactive flow against IdentityServer. Perhaps with Client Credentials flow? I'm not sure if you should reveal tokens from Google to the API. Maybe you should keep them in IdentityServer and refresh them as needed – Andres M Feb 08 '18 at 23:19
  • I've already authenticated the user using an interactive flow, and they've granted the application permissions. I want to keep them in identityserver, but need to use the access/refresh tokens in the separate service to do work on behalf of the user – ChickenMilkBomb Feb 08 '18 at 23:22
  • Yes. I just mean, you have to authenticate the API somehow, since it needs to run after the user has logged out. So maybe you could do client credentials and request a scope that returns the tokens as claims to the API. Each time you authenticate identity server could return an up to date token. What do you think? – Andres M Feb 08 '18 at 23:28
  • Its definitely a possibility. I'm reading on Extension Grants, which *seems* like what I'm looking for, but - I'm a n00b to identityserver, so there's that – ChickenMilkBomb Feb 08 '18 at 23:30
  • Would you be able to post your configuration setup for ID4 and how you have configured the resources to date? Always helps when there is some code to troubleshoot. – Aeseir Feb 12 '18 at 02:26
  • @Aeseir - I can do that, but its not really an issue that I'm troubleshooting. I'm trying to figure out how, given a sub that has granted access to the app but is not currrently logged in, I can use that granted access, which is stored on the identityserver service, to make a request from the separate service. The best I can come up with so far is to either just request the refresh token from a custom endpoint on identityserver(which seems sloppy and unsafe) or, again with a custom endpoint, request an access token, and have identityserver do the token refresh and return a new access token – ChickenMilkBomb Feb 12 '18 at 15:47
  • Are you looking for something like this? https://stackoverflow.com/a/41745179/4802448 – Daniel Eisenreich Feb 13 '18 at 06:33
  • Not really - that would be refreshing a token for a logged in user, what I'm looking for i the best practice for retrieving an IDP access token from indentityserver while the user is offline. I'm leaning towards creating a custom endpoint and asking identityserver to return the access token and expiration after refreshing it from the IDP. Its fine and works, but I was hoping there was a better way. – ChickenMilkBomb Feb 14 '18 at 15:35
  • @ChickenMilkBomb why aren't you using an offline token? – johnny 5 Feb 14 '18 at 16:55
  • I am using and storing an offline token in the identityserver4 service. The question is around best practices for retrieving that token for use in a secondary service when the user isn't logged in. I wasn't sure if there was a recommended pattern beyond just setting up a custom endpoint on identityserver, protecting that (via itself) with client credentials, and requesting from the second service when needed – ChickenMilkBomb Feb 14 '18 at 18:21
  • Try with this example: https://github.com/IdentityServer/IdentityServer4.Templates – Benjamin RD Feb 17 '18 at 01:14
  • @MrMins Which part of the example? I have the server up and running with no problems. – ChickenMilkBomb Feb 17 '18 at 19:20

1 Answers1

-2

Your best bet was to use Hybrid Flow where the refresh token is stored in your service DB directly. IDS is just a proxy here and is not responsible for storing refresh token not issued by itself.

akhileshcoer
  • 162
  • 10