Anonymous api calls pre-login

[di1342]

We are using AddUserAccessTokenHttpClient in our client app to create an httpClient for api calls. Some of these initial calls are to anonymous endpoints (minimal api, using .AllowAnonymous() extension). These work fine when everything is running off a localhost with distinct ports for the IS, the apis, and the client app, but are failing in deployed environments, with the error Error requesting access token for client Duende.TokenManagement.SchemeBasedClient:oidc. Error = unauthorized_client, Description: (null) which seems logical enough: can't get an access token if you're not yet authorized! Two-part question:

• what is the correct way to call an httpClient in this situation, if Duende's IS should have any hand in it?
• why wouldn't this show up in an all-localhost environment?

[wcabus]

The Duende.AccessTokenManagement.OpenIdConnect NuGet library works completely separate from Duende IdentityServer: the library merely handles retrieving and refreshing access tokens for your users (or service workers when using client credentials flow).

The correct way to call an HttpClient instance depends on whether or not you have configured a typed client in ASP.NET Core, but there are generally two flavors:

// When not using typed HTTP clients:
public class MyService(IHttpClientFactory httpClientFactory)
{
    public async Task CallApi()
    {
        // Untyped HTTP client called "api_client"
        var client = httpClientFactory.CreateClient("api_client");

        await client.GetAsync("https://api.example.org/some/endpoint");
    }
}

// When using typed HTTP clients:
public class MySecondService(ApiClient apiClient)
{
    public async Task CallApi()
    {
        // Typed HTTP client
        var client = httpClientFactory.CreateClient("api_client");

        await client.GetSomeDataAsync();
    }
}

public class ApiClient(HttpClient httpClient)
{
    public async Task GetSomeDataAsync()
    {
        await client.GetAsync("https://api.example.org/some/endpoint");
    }
}

Whenever you resolve the appropriate HttpClient instance, it has already been wired up to retrieve the access token as long as the client has been configured correctly. Our documentation shows how to configure access token management for both manually resolved HTTP clients as typed HTTP clients.

What is strange, is the error message you're receiving: this error message indicates that you're using a client-credentials token client instead of a user access one as you're mentioning. Could you share how Duende.AccessTokenManagement has been configured in the client application, including the AddOpenIdConnect details?

Please do obfuscate any authority URLs, client ID and client secrets, and sensitive scopes if there are any.

[di1342]

Thanks for another detailed reply. We are not using typed clients, but we are defining clients by name and reusing them per httpClientFactory best practice. Can I invoke a named client created with AddUserAccessTokenHttpClient as a simple CreateClient? Or do I have to create a second one for tokenless (not logged in) calls?
Here is the relevant part of our setup. Didn't require much obfuscation because values are being set from secrets so appear as variables. Pretty sure this all began as Duende boilerplate back in the day.

.AddOpenIdConnect("oidc", options =>
	{
		options.Authority = ISUri;

		options.ClientId = ISClientId;
		options.ClientSecret = ISSecret;
		options.ResponseType = "code";

		options.AccessDeniedPath = "/";

		options.Scope.Clear();
		// IS
		options.Scope.Add("openid");
		options.Scope.Add("profile");
		options.Scope.Add("offline_access");

		// API
		options.Scope.Add(authorizedApiName);

		// claims
		options.Scope.Add("claimtype1");
		options.Scope.Add("claimtype2");
		options.ClaimActions.MapJsonKey("claimtype1_fieldA", "claimtype1_fieldA");
		options.ClaimActions.MapJsonKey("claimtype2_fieldA", "claimtype2_fieldA");
		options.ClaimActions.MapJsonKey("claimtype2_fieldB", "claimtype2_fieldB");

		options.GetClaimsFromUserInfoEndpoint = true;

		options.MapInboundClaims = false; // Don't rename claim types

		options.SaveTokens = true;
	}
);