openiddict-documentation icon indicating copy to clipboard operation
openiddict-documentation copied to clipboard
verified publisher icon openiddict

Document the OAuth 2.0 Token Exchange flow and its implementation in OpenIddict

Open kevinchalet opened this issue 7 months ago • 1 comments

Confirm you've already contributed to this project or that you sponsor it

  • [x] I confirm I'm a sponsor or a contributor

Describe the solution you'd like

See https://github.com/openiddict/openiddict-core/issues/1249.

Additional context

See https://github.com/openiddict/openiddict-documentation/issues/164 for a related item.

kevinchalet avatar Jun 03 '25 03:06 kevinchalet

@kevinchalet reading the oidc docs for checking the setup, dont we need Antiforgery on the way for the OAuth2 Token Exchange with PKCE? at least that is what I would read from the official standard of oAuth2

and by replicating that same code, I am getting the linting on the MapControllers( is that on purpose?

Image

https://documentation.openiddict.com/guides/getting-started/creating-your-own-server-instance

and I would miss little information about if and how we are meant to place HttpsRedirection and Hsts. Yes this is mainly a ASP NET Core thing, but as you already not list AddAuthorization I dont know if you call this internally? Because normally reffering to their docs I would add that Authorization. with the redirection and hsts I am not even sure which of both they do recommend but you include none of them for creating that server instance to our client app, so maybe there is any recommendation? the Imynosoph.Server project is for example using that:

https://github.com/openiddict/openiddict-samples/blob/dev/samples/Imynusoph/Imynusoph.Server/Startup.cs

and I would not find how or if we can also use AddCookies( alongside openIdDict. can we? I would assume that Asp Net core would throw me an exception if you do call AddAuthentication on the AddServer section internally, and I would then call it again, just to also add cookies 😅 would like to avoid exceptions ;)

very few (2) samples of your samples repos beneath the WinUI3 sample you noticed today, does call the SetAuthorizationEndpointUris( method for the AllowAuthorizationCodeFlow , which makes me curious if the others do not have a Authorization Endpoint and only a Token Endpoint? this are the ones I found https://github.com/openiddict/openiddict-samples/blob/dev/samples/Mortis/Mortis.Server/Startup.cs https://github.com/openiddict/openiddict-samples/blob/dev/samples/Weytta/Weytta.Server/Startup.cs https://github.com/openiddict/openiddict-samples/blob/dev/samples/Zirku/Zirku.Server/Program.cs

but as I would try to use Minimal API as you seen, but noticed that you did point the one asking about the Cors already just back to the asp net core. Would read from there that PassThrough details that I am running with my approach to set up a oAuth2 token exchange server backend as maybe not just testing backend then also a middleware if the system browser opening issue persists blocking me, right into that same exception with pass throught...

DevTKSS avatar Aug 17 '25 20:08 DevTKSS