Clarify v4 token retrieval and logout extensibility

maartenba · maartenba · commit 044f992166eb · 2026-04-01T16:45:06.000+02:00
diff --git a/astro/src/content/docs/bff/extensibility/management/logout.mdx b/astro/src/content/docs/bff/extensibility/management/logout.mdx
@@ -28,7 +28,7 @@ The `IReturnUrlValidator` ensures that the `returnUrl` parameter passed to the l
 <Tabs syncKey="bffVersion">
     <TabItem label="V4">
         You can customize the behavior of the logout endpoint by implementing the `ProcessRequestAsync` method of the
-        `ILogoutEndpoint` interface. The [default implementation][1]
+        `ILogoutEndpoint` interface. The [default implementation](https://github.com/DuendeSoftware/products/tree/releases/bff/4.0.x/bff/src/Bff/Endpoints/Internal/DefaultLogoutEndpoint.cs)
         can serve as a starting point for your own implementation.
 
         If you want to extend the default behavior of the logout endpoint, you can instead add a custom endpoint and
@@ -50,7 +50,7 @@ app.MapGet(bffOptions.LogoutPath, async (HttpContext context, CancellationToken
 `} />
     </TabItem>
     <TabItem label="V3">
-        `ProcessRequestAsync` is the top-level function called in the endpoint service `DefaultSilentLoginCallbackService`,
+        `ProcessRequestAsync` is the top-level function called in the endpoint service `DefaultLogoutService`,
         and can be used to add arbitrary logic to the endpoint.
 
         For example, you could take whatever actions you need before normal processing of the request like this:
@@ -73,5 +73,3 @@ public override Task ProcessRequestAsync(HttpContext context, CancellationToken
 To prevent open redirector attacks, the `returnUrl` parameter to the logout endpoint must be validated. You can
 customize this validation by implementing the `IReturnUrlValidator` interface. The default implementation enforces
 that return URLs are local.
-
-[1]: https://github.com/DuendeSoftware/products/tree/releases/bff/4.0.x/bff/src/Bff/Endpoints/Internal/DefaultLogoutEndpoint.cs
diff --git a/astro/src/content/docs/bff/extensibility/tokens.md b/astro/src/content/docs/bff/extensibility/tokens.md
@@ -108,7 +108,13 @@ public interface IAccessTokenRetriever
 }
 ```
 
-You can implement this interface yourself or extend the *DefaultAccessTokenRetriever*. The *AccessTokenResult* class represents the result of this operation. It is an abstract class with concrete implementations that represent successfully retrieving a bearer token (*BearerTokenResult*), successfully retrieving a DPoP token (*DPoPTokenResult*), failing to find an optional token (*NoAccessTokenResult*), which is not an error, and failure to retrieve a token (*AccessTokenRetrievalError*). Your implementation of GetAccessTokenAsync should return one of those types.
+You can implement this interface yourself or extend the *DefaultAccessTokenRetriever*. 
+
+:::note
+In Duende BFF v4, *DefaultAccessTokenRetriever* was made `internal`. If you need to customize token retrieval in v4, implement the *IAccessTokenRetriever* interface directly. The default implementation simply calls `context.HttpContext.GetManagedAccessToken()` with the configured token type, so replicating its behavior is straightforward.
+:::
+
+The *AccessTokenResult* class represents the result of this operation. It is an abstract class with concrete implementations that represent successfully retrieving a bearer token (*BearerTokenResult*), successfully retrieving a DPoP token (*DPoPTokenResult*), failing to find an optional token (*NoAccessTokenResult*), which is not an error, and failure to retrieve a token (*AccessTokenRetrievalError*). Your implementation of GetAccessTokenAsync should return one of those types.
 
 Implementations of the *IAccessTokenRetriever* can be added to endpoints when they are mapped using the *WithAccessTokenRetriever* extension method:
 
