BFF v4 - When using IBffServicesBuilder.LoadConfiguration how to specify the equivalent of .WithAccessTokenRetriever?

[pedroduarte0]

Hello,

I am using v4.0.0-rc.1 and programatically for the remote APIs for the frontend setup I can do

.WithAccessTokenRetriever<MultiApiAccessTokenRetriever>()

where MultiApiAccessTokenRetriever is an implementation of IAccessTokenRetriever. Below is a code sample:

IConfigurationRoot bffConfig = new ConfigurationBuilder()
#if DEBUG
    .AddJsonFile(Path.Combine(AppContext.BaseDirectory, "..", "..", "..", "BffConfig.json"), optional: false, reloadOnChange: true)
#else
    .AddJsonFile("BffConfig.json", optional: false, reloadOnChange: true)
#endif
    .Build();

builder.Services
    .AddBff(options =>
    {
        options.LicenseKey = config.LicenseKey;
    })
.ConfigureOpenIdConnect(options =>
{
    options.Authority = "https://idp-here";
    options.ClientId = "clientId";
    options.ClientSecret = "secret";
    options.ResponseType = "code";
    options.ResponseMode = "query";

    options.GetClaimsFromUserInfoEndpoint = true;
    options.SaveTokens = true;
    options.MapInboundClaims = false;

    options.Scope.Clear();
    options.Scope.Add("openid");
    options.Scope.Add("offline_access");
    options.Scope.Add("https://something.onmicrosoft.com/scope1");
    options.Scope.Add("https://something.onmicrosoft.com/scope2");
})
.ConfigureCookies(options =>
{
    options.Cookie.MaxAge = TimeSpan.FromMinutes(5);
    options.Cookie.HttpOnly = true;
    options.Cookie.Path = "/";
    options.Cookie.Name = "__Host";
    options.Cookie.SameSite = SameSiteMode.Strict;
})
    .AddFrontends(
        new BffFrontend(BffFrontendName.Parse("frontend1"))
            .MappedToPath(LocalPath.Parse("/frontend1"))
            .WithRemoteApis(
                    new RemoteApi(LocalPath.Parse("/api1"), new Uri("https://localhost:7260/Api"))
                    .WithAccessToken(RequiredTokenType.User)           // <------------------------------
                    )
            )
    .AddRemoteApis()
    .AddServerSideSessions<RedisUserSessionStore>();

and that works fine.

However, I tried to do using the IBffServicesBuilder.LoadConfiguration from a configuration BffConfig.json, assuming I could specify the token retriever class as "accessTokenRetrieverType": "MultiApiAccessTokenRetriever" :

{
  "defaultOidcSettings": {
    "authority": "https://idp-here",
    "clientId": "clientId",
    "clientSecret": "secret",
    "responseType": "code",
    "responseMode": "query",
    "mapInboundClaims": false,
    "saveTokens": true,
    "scope": [
      "openid",
      "offline_access",
      "https://something.onmicrosoft.com/scope1",
      "https://something.onmicrosoft.com/scope2"
    ],
    "getClaimsFromUserInfoEndpoint": true
  },
  "defaultCookieSettings": {
    "httpOnly": true,
    "sameSite": "Strict",
    "name": "__Host",
    "maxAge": "00:05:00",
    "path": "/",
    "domain": null
  },
  "frontends": {
    "frontend1": {
      "matchingPath": "/frontend1",
      "matchingOrigin": "https://localhost:5013",
      "remoteApis": [
        {
          "localPath": "/api1",
          "targetUri": "https://localhost:7260/Api1",
          "tokenRequirement": "User",
          "accessTokenRetrieverType": "MultiApiAccessTokenRetriever"
        }
      ]
    }
  }
}

The API becomes registered but I see it doesn't have any AccessTokenRetrieverType, when inspecting with this snippet:

var frontendCollection = app.Services.GetRequiredService<IFrontendCollection>();
foreach (var frontend in frontendCollection)
{
    var remoteApis = frontend.GetRemoteApis();
    if (remoteApis.Any())
    {
        foreach (var f in frontendCollection)
        {
            RemoteApi[] ap = frontend.GetRemoteApis();
        }
    }
}

Is it possible to specify a token retriever by configuration?
Thanks

[Erwinvandervalk]

Hi @pedroduarte0 ,

when loading from config, the property name is called TokenRetrieverTypeName. The value should be the types assembly qualified name.

https://learn.microsoft.com/en-us/dotnet/api/system.type.assemblyqualifiedname?view=net-9.0

you should use:

    "tokenRetrieverTypeName": "YourNamespace.MultiApiAccessTokenRetriever, YourAssemblyName"

[wcabus]

While we're at it, you should also update "tokenRequirement": "User" to become "requiredTokenType": "User" instead. A lot of these properties have changed, as documented here 🙂.