Skip to content

Commit 782620e

Browse files
wip
1 parent 99cf7ca commit 782620e

5 files changed

Lines changed: 96 additions & 9 deletions

File tree

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,3 @@
11
label: 'Advanced'
2-
order: 4
2+
order: 10
33
collapsed: true

src/content/docs/accesstokenmanagement/index.mdx

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,12 @@ The `Duende.AccessTokenManagement` library provides automatic access token manag
1616
- automatic access token lifetime management using a refresh token for API calls on behalf of the currently logged-in user (using the `Duende.AccessTokenManagement.OpenIdConnect` package)
1717
- revocation of access tokens
1818

19+
:::note
20+
Duende.AccessTokenManagement version 4 (currently in preview 2) brings significant improvements, but also several breaking
21+
changes. Please see the [migration guide](/accesstokenmanagement/upgrading/atm-v3-to-v4/) and [release notes](https://github.com/DuendeSoftware/foss/releases/tag/atm-4.0.0-Preview.2).
22+
:::
23+
24+
1925
## Machine-to-machine token management
2026

2127
To get started, install the NuGet Package:
Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
label: 'Upgrading'
2+
order: 20
3+
collapsed: true
Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
---
2+
title: "Duende AccessTokenManagement v3.x to v4.0"
3+
description: Guide for upgrading Duende BFF Security Framework from version 3.x to version 4.0, including migration steps for custom implementations and breaking changes.
4+
sidebar:
5+
label: v3.x → v4.0
6+
order: 100
7+
---
8+
9+
## Changes
10+
### Moving Towards HybridCache Implementation and Away from Distributed Cache
11+
12+
Microsoft has recently released HybridCache. While this is only released as a .NET 9 DLL, these assemblies work fine in .NET 8. So, while we still support .NET 8 with ATM 4.0, we are moving towards using HybridCache.
13+
14+
HybridCache brings significant improvements for us. Because of the two-layered cache, we've found it significantly improves performance.
15+
If you currently use a distributed cache, this should still work seamlessly.
16+
17+
If you wish to encrypt access tokens, you can do so by implementing a custom serializer. Documentation on this will follow later.
18+
19+
We have added support for using a custom HybridCache instance via keyed services.
20+
21+
### Complete Internal Refactoring
22+
23+
The library has undergone extensive internal changes—so much so that it can be considered a new implementation under the same conceptual umbrella. Despite this, the public API surface remains mostly compatible with earlier versions.
24+
25+
* New extensibility model (see below).
26+
* All async methods now support cancellation tokens.
27+
* Renaming of certain classes and interfaces (see below).
28+
* Implementation logic is now internal.
29+
30+
#### Reduced Public API Surface
31+
32+
All internal implementation details are now marked as internal, reducing accidental coupling and clarifying the intended extension points. In V3, all classes were public and most public methods were marked as virtual. This meant you could override any class by inheriting from it and overriding a single method.
33+
34+
While this was very convenient for our consumers, it made it very difficult for us to introduce changes to the library without making breaking changes.
35+
36+
We still want to ensure our users' extensibility needs are met, but via more controlled mechanisms. If you find that you have an extensibility need that is not covered by the new model, please raise a discussion in our discussion board. If this is a scenario we want to support, we'll do our best to accommodate it.
37+
38+
### Explicit Extension Model
39+
40+
Instead of relying on implicit behaviors or inheritance, V4 introduces clearly defined extension points, making it easier to customize behavior without relying on internal details.
41+
42+
### Composition Over Inheritance
43+
44+
The `AccessTokenHandler` has been restructured to use composition rather than inheritance, simplifying the customization of token handling and increasing testability.
45+
46+
If you wish to implement a custom access token handling process, for example to implement token exchange, you can now implement your own `AccessTokenRequestHandler.ITokenRetriever`.
47+
48+
### Strongly Typed Configuration
49+
50+
Configuration is now represented by strongly typed objects, improving validation, discoverability, and IDE support.
51+
52+
This means that where before you could assign strings to the configuration system, you'll now have to explicitly parse the string values.
53+
54+
For example:
55+
56+
```csharp
57+
var scheme = Scheme.Parse("oidc");
58+
59+
```
60+
61+
### Renamed classes
62+
Several classes have been renamed, either to make their usage clearer or to drop the 'service' suffix, which only adds noise:
63+
64+
AccessTokenHandler => AccessTokenRequestHandler
65+
ClientCredentialsTokenManagementService => IClientIClientCredentialsTokenManager
66+
IClientCredentialsTokenEndpointService => IClientCredentialsTokenEndpoint
67+
IUserTokenManagementService => IUserTokenManager
68+
ITokenRequestSynchronization => IUserTokenRequestConcurrencyControl
69+
IUserTokenEndpointService => IUserTokenEndpoint

src/content/docs/accesstokenmanagement/web-apps.md

Lines changed: 17 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -12,12 +12,6 @@ redirect_from:
1212
The `Duende.AccessTokenManagement.OpenIdConnect` library automates all the tasks around access token lifetime management for
1313
user-centric web applications.
1414

15-
To use this library, start by adding the library to your .NET projects.
16-
17-
```bash
18-
dotnet add package Duende.AccessTokenManagement.OpenIdConnect
19-
```
20-
2115
While many of the details can be customized, by default the following is assumed:
2216

2317
* ASP.NET Core web application
@@ -26,7 +20,22 @@ While many of the details can be customized, by default the following is assumed
2620
token service
2721
* the token service returns a refresh token
2822

29-
## Setup
23+
## Usage
24+
First, you'll need to add `Duende.AccessTokenManagement.OpenIdConnect` to your solution.
25+
26+
Then, there are two fundamental ways to interact with token management:
27+
1. **Automatic** <Badge text="recommended"/>: You request a http client from the IHTTPClientFactory. This http client automatically requests, optionally renews and attaches the access tokens on each request.
28+
2. **Manually** <Badge text="advanced"/>: You request an access token, which you can then use to (for example) authenticate with services. You are responsible for attaching the access token to requests.
29+
30+
31+
## Adding Duende.AccessTokenManagement.OpenIdConnect
32+
33+
34+
To use this library, start by adding the library to your .NET projects.
35+
36+
```bash
37+
dotnet add package Duende.AccessTokenManagement.OpenIdConnect
38+
```
3039

3140
By default, the token management library will use the ASP.NET Core default authentication scheme for token storage (this
3241
is typically the cookie handler and its authentication session), and the default challenge scheme for deriving token
@@ -90,7 +99,7 @@ builder.Services.AddAuthentication(options =>
9099
builder.Services.AddOpenIdConnectAccessTokenManagement();
91100
```
92101

93-
### HTTP Client Factory
102+
### Automatic via HTTP Client Factory
94103

95104
Similar to the worker service support, you can register HTTP clients that automatically send the access token of the
96105
current user when making API calls. The message handler plumbing associated with those HTTP clients will try to make

0 commit comments

Comments
 (0)