Does ASP.NET Core feature a built-in OAuth2 token exchange?

Question

I'm building an ASP.NET Core application and using FusionAuth as my authentication server. I'm trying to implement this authorization grant workflow , with an SPA using JWT bearer tokens. To summarize, once the user authenticates with FusionAuth, the frontend is supposed to redirect to the backend server with an authorization code. My backend server then needs to receive this code at a special endpoint. Inside this endpoint it will perform a call to FusionAuth again, but this time with the client secret which only the server will possess. In turn, FusionAuth will send back an authorization token in the form of a JWT and a refresh token, which my server then needs to return back to the frontend.

I've looked at the .AddOAuth method, and having read the code it seems capable of performing the token exchange. However, it also has a lot of logic involving challenges and login/logout. This makes me think it's supposed to be used for cookie-based server-side authentication, like you would find with Razor pages.

All I want to do is set up my server to be this authentication intermediary. It looks like .AddOAuth() might do this for me, but it may not be intended for this purpose. I can't find any examples of folks using .AddJwt(...) and .AddOAuth(...) in conjunction. Is there a mechanism in ASP.NET Core that performs the token exchange?

Answer 1

Have you tried using IdentityModel? It's not part of ASP.NET Core, but it is open source. I found it useful when implementing the authorization code grant in ASP.NET core.

Here is some documentation that may be helpful:

https://identitymodel.readthedocs.io/en/latest/aspnetcore/web.html

Answer 2

The short answer is yes - see Introduction to Identity on Asp.NET CORE . There are lots of flavors of OAuth 2, which means it can be configured in many ways. You will need to read the docs.