I need to configure both Client Credential and Authorization grant type in single oAuth 2.0 token provider. this is in Azure and .NET core API

Question

i am trying to have both grant-type in oAuth 2.0. because i need to setup some of my API methods need use client credentials since those are used in service to service connection and for some others i need to setup Authorization grant-type since it was used as user to service connection. my oAuth token provider was Azure Identity service and API was build in .NET Core

Answer 1

This is possible by creating two different clients. In both cases the clients will manage authentication according to their flow, then get an access token with which to call the API. The API owner should also design scopes that clients request.

The API's first job should be to validate a JWT access token on every request. You could use the Microsoft middleware to do this:

private void ConfigureOAuth(IServiceCollection services)
{
    services
        .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        .AddJwtBearer(options =>
        {
            options.Authority = this.configuration.MetadataEndpoint;
            options.TokenValidationParameters = new TokenValidationParameters
            {
                ValidIssuer = "myissuer",
                ValidAudience = "myaudience"
            };
        });
}

Your API controllers will then receive a ClaimsPrincipal with which you implement authorization. You can use authorization policies for this, to check you have the right scopes and claims for the current operation:

[HttpGet("{id}/transactions")]
[Authorize(Policy = "mypolicy")]
public async Task<Transactions> GetTransactionsAsync(string id)
{
    // Implementation goes here
}