Managing application access tokens in an ASP.NET Core web application. Any application with or without a user can use application access tokens as long as the application can persist the tokens in a safe way.
An ASP.NET Core web application authenticates using OpenID Connect and OpenIddict as the secure token server. The application needs to use data from an app-to-app resource. An OAuth client credential flow is used to get an application access token to access the API. The OAuth client credentials flow can only be used when it can keep a secret. This token has nothing in common with the delegated access token from the user authentication. The application is persisted once for the application. An in-memory cache is used for this. The application sends the application access token as a bearer token to the API.
- ASP.NET Core user delegated access token management
- ASP.NET Core user application access token management
- ASP.NET Core delegated OAuth Token Exchange access token management
- ASP.NET Core delegated Microsoft OBO access token management (Entra only)
- 2025-12-01 .NET 10
- 2025-09-27 Updates packages
- 2025-08-01 Updates packages
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/additional-claims
https://www.epochconverter.com/
Best Current Practice for OAuth 2.0 Security
The OAuth 2.0 Authorization Framework
OAuth 2.0 Demonstrating Proof of Possession DPoP
OAuth 2.0 JWT-Secured Authorization Request (JAR) RFC 9101
OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow