I'm developing a Hosted Blazor WASM application that uses Strava's OAuth for authentication. Because I don't want to store the access and refresh tokens in the browser I am using Duende.BFF.
My program.cs is configured like this:
{
options.DefaultScheme = "cookie";
options.DefaultChallengeScheme = "oidc";
options.DefaultSignOutScheme = "oidc";
})
.AddCookie("cookie", options =>
{
options.Cookie.Name = "__Host-blazor";
options.Cookie.SameSite = SameSiteMode.Strict;
})
.AddOAuth("oidc", options =>
{
options.ClientId = "clientid";
options.ClientSecret = "clientsecret";
options.AuthorizationEndpoint = "https://www.strava.com/oauth/authorize";
options.TokenEndpoint = "https://www.strava.com/api/v3/oauth/token";
options.CallbackPath = "/bff/callback";
options.Scope.Add("activity:read_all,read_all");
options.SaveTokens = true;
});
This works perfectly fine but Strava does something after exchanging the token for the access and refresh token. The response is like this:
"token_type": "Bearer",
"expires_at": 1568775134,
"expires_in": 21600,
"refresh_token": "e5n567567...",
"access_token": "a4b945687g...",
"athlete": {
#{summary athlete representation}
}
}
I'd like to add the athlete property to the user claims, but I don't see a way to do this currently.
I did try extending these endpoints:
services.AddTransient<ILoginService, DefaultLoginService>();
services.AddTransient<IUserService, DefaultUserService>();
But I think this is already too late in the chain, because the original response isn't accessible here anymore.
Is there a way to extend this somewhere? I tried looking in the Duende.BFF source code but I couldn't figure out where the access and refresh tokens are set.
