Can no longer add access token information to request parameters when customizing IOpenIdConnectUserTokenEndpoint when refreshing the token

[simona-aveva]

Previsouly, the IUserTokenEndpointService interface (now renamed IOpenIdConnectUserTokenEndpoint in 4.x) RefreshAccessTokenAsync function accepted a UserToken, which allowed me to add AccessToken information to the request parameters before performing the refresh, e.g

if (userToken.AccessToken != null)
{
    request.Parameters.Add("xxxx", userToken.AccessToken);
}

The new interface only accepts the UserRefreshToken, and I cannot call GetUserAccessTokenAsync from RefreshAccessTokenAsync as this would result in recursion (the token needs refreshing!).
I believe I can customize the IUserTokenStore and add the AccessToken to the parameters which would then get passed to RefreshAccessTokenAsync but this seems a bit convoluted. Is there any other way of doing this? Any help would be much appreciated.

[maartenba]

@simona-aveva this seems similar to https://github.com/orgs/DuendeSoftware/discussions/463, can you have a look? If similar indeed, an additional extension point is on its way to support this scenario.

[simona-aveva]

No this is a different interface than the one affecting me. Specifically, my issue is the change from IUserTokenEndpointService.RefreshAccessTokenAsync, which used to take a UserToken, to IOpenIdConnectUserTokenEndpoint.RefreshAccessTokenAsync, which now takes a UserRefreshToken.

[simona-aveva]

As mentioned previously, I added

if (tokenForParameters.Token?.TokenForSpecifiedParameters?.AccessToken != null)
{
    parameters.Context.Add("AccessToken", tokenForParameters.Token.TokenForSpecifiedParameters.AccessToken.ToString());
}

at the end of my custom implementation of IUserTokenStore.GetTokenAsync and then extracted that in my custom IOpenIdConnectUserTokenEndpoint.RefreshAccessTokenAsync implementation before the RequestRefreshTokenAsync call

var accessToken = parameters.Context["AccessToken"].FirstOrDefault();
if (accessToken != null)
{
    request.Parameters.Add("id_token_hint", accessToken);
}

and now I can refresh my token.
So the workaround works, but still seems convoluted.

[maartenba]

After chatting with @Erwinvandervalk on this. One general observation is that id_token_hint should not contain the access token, but the id token.

You also may want to look into ITokenRequestCustomizer of Duende Access Token Management rather than extending the token endpoint in BFF. For example:

public class MyTokenRequestCustomizer(IHttpContextAccessor context) : ITokenRequestCustomizer
{
    public async Task<TokenRequestParameters> Customize(HttpRequestContext httpRequest, TokenRequestParameters baseParameters,
        CancellationToken cancellationToken = default)
    {
        // you can add the id token as the id token hint to the token request as follows:
        var idToken = await context.HttpContext!.GetTokenAsync("id_token");
        baseParameters.Parameters.Add("id_token_hint", idToken ?? "");

        // you can also get the access token here, 
        var accessToken = await context.HttpContext!.GetTokenAsync("access_token");
        return baseParameters;
    }
}

Here's a branch with an example (in the 'web' sample): https://github.com/DuendeSoftware/foss/blob/ev/atm/use-id-token-hint/access-token-management/samples/Web/Startup.cs#L158

[simona-aveva]

Thanks for the advice about the Id token, I have corrected it in my code. I also send a 'previous_token' parameter in the RefreshTokenRequest which is the access token, I assume this is why it works.
My only niggle is that this pipeline will run with every token request (Bff is polling every 30 secs) whereas before 'cause we had it inline it would only be used when the token needed refreshing and was available directly. Either way it is still a much nicer fix than my previous attempt.