Last post May 18, 2020 10:24 AM by mgebhard
May 18, 2020 01:44 AM|KeithP|LINK
I am creating an IHostedService by implementing the BackgroundService interface for a service that will run on an IIS server. This service is going to call other api endpoints that have various authentication and authorization schemes. One in particular
requires using OAuth Authentication Code.
I need some advice on how to manage the authentication and refresh tokens for this service. Since this service will be running in the background and not having user interaction, i will have to seed the authentication and refresh tokens and my plan is to
store these in an Azure KeyVault. The background service will then manage updating the tokens and storing them in Key Vault when they become expired. So, two main questions:
1. Does this approach of storing the authentication and refresh tokens in Key Vault seem like a feasible and secure approach?
2. Since this one API needs human interaction to get the initial authentication and refresh tokens, are there any suggestions on how to seed this information in Key Vault?
Any suggestions are very much welcome. Thanks in advance for your assistance.
May 18, 2020 10:24 AM|mgebhard|LINK
The OAuth specification has security flows specifically designed for machine to machine communication. There should be no reason for user interaction. The running service will have the access and refresh token in memory. The there is no good reason to
persist the access token and the only good reason to store the refresh token is you expect the service to restart.