I have an ASP.NET Core 8 MVC app. It consumes an external API that uses OAuth authorization.

In some action method of my controller, I need to obtain some data from the API. So I first make a request to an url to obtain a token, then make another request to an endpoint of the API including the obtained access token as a bearer token in a header of the request (using httpClient).

Note: the obtained token is valid for an hour.

This is working ok, but how can I maintain the obtained token between requests to my ASP.NET Core MVC app? Right now, I am just obtaining a new token every time my action method is called.

I am thinking to save the token into the user session, but but is this a correct/safe way to maintain the token between requests to my app?

By the way: as of now I am creating an instance of HttpClient in the action method, but I am planning on using IHttpClientFactory with typed-clients... will that make any difference regarding this question?

I have an ASP.NET Core 8 MVC app. It consumes an external API that uses OAuth authorization.

In some action method of my controller, I need to obtain some data from the API. So I first make a request to an url to obtain a token, then make another request to an endpoint of the API including the obtained access token as a bearer token in a header of the request (using httpClient).

Note: the obtained token is valid for an hour.

This is working ok, but how can I maintain the obtained token between requests to my ASP.NET Core MVC app? Right now, I am just obtaining a new token every time my action method is called.

I am thinking to save the token into the user session, but but is this a correct/safe way to maintain the token between requests to my app?

By the way: as of now I am creating an instance of HttpClient in the action method, but I am planning on using IHttpClientFactory with typed-clients... will that make any difference regarding this question?

• c#
• oauth-2.0
• asp.net-core-mvc
• access-token
• asp.net-core-8

• 1 You could use the MemoryCache for this, with an expiry of less than 60 minutes - if there’s no token in the cache, then get a new one and cache it. – stuartd Commented 2 days ago
• Use MemoryCache...If your app is deployed across multiple instances, use IDistributedCache. IHttpClientFactory: Good for managing HttpClient, but token caching still needs to be handled separately. – AussieJoe Commented yesterday
• In your scenario, each user has their own access token, then per-user storage like session would be needed. But in that case, the app would need to handle token acquisition per user, which complicates things. However, OAuth client credentials flow is for application-level access, not per-user. So maybe the token is the same for all users, which would mean that using the session isn't necessary and could lead to unnecessary duplication. So, caching the token in a service that's singleton or scoped would be better. And you can use IHttpClientFactory with typed client to add token to request. – Zhi Lv Commented yesterday

1 Answer 1

I would recommend that you use Duende.AccessTokenManagement to cache and acquire new access tokens. You usually want to renew your access tokens on a regular basis.

This blog post Improving ASP.NET Core Security By Putting Your Cookies On A Diet is also a good read about using a SessionStore to store the cookie content.