locked
OAuth token management with background service RRS feed

  • Question

  • User400981850 posted

    I am creating an IHostedService by implementing the BackgroundService interface for a service that will run on an IIS server.  This service is going to call other api endpoints that have various authentication and authorization schemes.  One in particular requires using OAuth Authentication Code.

    I need some advice on how to manage the authentication and refresh tokens for this service.  Since this service will be running in the background and not having user interaction, i will have to seed the authentication and refresh tokens and my plan is to store these in an Azure KeyVault.  The background service will then manage updating the tokens and storing them in Key Vault when they become expired.  So, two main questions:

    1.  Does this approach of storing the authentication and refresh tokens in Key Vault seem like a feasible and secure approach?

    2.  Since this one API needs human interaction to get the initial authentication and refresh tokens, are there any suggestions on how to seed this information in Key Vault?

    Any suggestions are very much welcome.  Thanks in advance for your assistance.

    Monday, May 18, 2020 1:44 AM

All replies

  • User475983607 posted

    The OAuth specification has security flows specifically designed for machine to machine communication.   There should be no reason for user interaction.  The running service will have the access and refresh token in memory.  The there is no good reason to persist the access token and the only good reason to store the refresh token is you expect the service to restart. 

    Monday, May 18, 2020 10:24 AM