DuendeSoftware · Erwinvandervalk · Jun 3, 2025 · Apr 8, 2025
diff --git a/Directory.Packages.props b/Directory.Packages.props
diff --git a/bff/bff.slnf b/bff/bff.slnf
@@ -11,6 +11,7 @@
       "bff\\hosts\\Hosts.Bff.DPoP\\Hosts.Bff.DPoP.csproj",
       "bff\\hosts\\Hosts.Bff.EF\\Hosts.Bff.EF.csproj",
       "bff\\hosts\\Hosts.Bff.InMemory\\Hosts.Bff.InMemory.csproj",
+      "bff\\hosts\\Hosts.Bff.MultiFrontend\\Hosts.Bff.MultiFrontend.csproj",
       "bff\\hosts\\Hosts.IdentityServer\\Hosts.IdentityServer.csproj",
       "bff\\hosts\\Hosts.ServiceDefaults\\Hosts.ServiceDefaults.csproj",
       "bff\\hosts\\RemoteApis\\Hosts.RemoteApi.DPoP\\Hosts.RemoteApi.DPoP.csproj",
@@ -30,4 +31,4 @@
       "bff\\test\\Hosts.Tests\\Hosts.Tests.csproj"
     ]
   }
-}
+}
diff --git a/bff/docs/.$Bff Multi Frontend.svg.dtmp b/bff/docs/.$Bff Multi Frontend.svg.dtmp
diff --git a/bff/docs/Bff Multi Frontend.svg b/bff/docs/Bff Multi Frontend.svg
diff --git a/...ts/Blazor/PerComponent/Hosts.Bff.Blazor.PerComponent/Hosts.Bff.Blazor.PerComponent.csproj b/...ts/Blazor/PerComponent/Hosts.Bff.Blazor.PerComponent/Hosts.Bff.Blazor.PerComponent.csproj
@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
     <TargetFramework>net9.0</TargetFramework>

diff --git a/bff/hosts/Blazor/PerComponent/Hosts.Bff.Blazor.PerComponent/Program.cs b/bff/hosts/Blazor/PerComponent/Hosts.Bff.Blazor.PerComponent/Program.cs
@@ -1,6 +1,7 @@
 // Copyright (c) Duende Software. All rights reserved.
 // See LICENSE in the project root for license information.
 
+using Duende.AccessTokenManagement.OpenIdConnect;
 using Duende.Bff;
 using Duende.Bff.AccessTokenManagement;
 using Duende.Bff.Blazor;
@@ -98,7 +99,7 @@
 app.MapBffManagementEndpoints();
 
 app.MapRemoteBffApiEndpoint("/remote-apis/user-token", "https://localhost:5010")
-    .RequireAccessToken(TokenType.User);
+    .WithAccessToken(RequiredTokenType.User);
 
 app.MapRazorComponents<App>()
     .AddInteractiveServerRenderMode()

diff --git a/bff/hosts/Blazor/WebAssembly/Hosts.Bff.Blazor.WebAssembly/Properties/launchSettings.json b/bff/hosts/Blazor/WebAssembly/Hosts.Bff.Blazor.WebAssembly/Properties/launchSettings.json
@@ -6,10 +6,10 @@
       "dotnetRunMessages": true,
       "launchBrowser": false,
       "inspectUri": "{wsProtocol}://{url.hostname}:{url.port}/_framework/debug/ws-proxy?browser={browserInspectUri}",
-      "applicationUrl": "https://localhost:5005",
+      "applicationUrl": "https://localhost:5006",
       "environmentVariables": {
         "ASPNETCORE_ENVIRONMENT": "Development"
       }
     }
   }
-}
+}
diff --git a/bff/hosts/Directory.Build.props b/bff/hosts/Directory.Build.props
@@ -18,6 +18,8 @@
 
       -->
     <TargetFramework>net9.0</TargetFramework>
+    <IsBffProject>true</IsBffProject>
+
   </PropertyGroup>
   <Import Project="../../samples.props" />
 </Project>
diff --git a/bff/hosts/Hosts.AppHost/Hosts.AppHost.csproj b/bff/hosts/Hosts.AppHost/Hosts.AppHost.csproj
@@ -15,34 +15,28 @@
   </ItemGroup>
 
   <ItemGroup>
-    <ProjectReference Include="..\Hosts.ServiceDefaults\Hosts.ServiceDefaults.csproj"
-      IsAspireProjectResource="false" />
+    <ProjectReference Include="..\Hosts.Bff.MultiFrontend\Hosts.Bff.MultiFrontend.csproj" />
+    <ProjectReference Include="..\Hosts.ServiceDefaults\Hosts.ServiceDefaults.csproj" IsAspireProjectResource="false" />
   </ItemGroup>
 
   <ItemGroup>
     <ProjectReference Include="..\..\migrations\UserSessionDb\UserSessionDb.csproj" />
     <ProjectReference Include="..\RemoteApis\Hosts.RemoteApi.DPoP\Hosts.RemoteApi.DPoP.csproj" />
-    <ProjectReference
-      Include="..\RemoteApis\Hosts.RemoteApi.Isolated\Hosts.RemoteApi.Isolated.csproj" />
+    <ProjectReference Include="..\RemoteApis\Hosts.RemoteApi.Isolated\Hosts.RemoteApi.Isolated.csproj" />
     <ProjectReference Include="..\RemoteApis\Hosts.RemoteApi\Hosts.RemoteApi.csproj" />
     <ProjectReference Include="..\Hosts.Bff.DPoP\Hosts.Bff.DPoP.csproj" />
     <ProjectReference Include="..\Hosts.Bff.EF\Hosts.Bff.EF.csproj" />
     <ProjectReference Include="..\Hosts.Bff.InMemory\Hosts.Bff.InMemory.csproj" />
-    <ProjectReference
-      Include="..\Blazor\PerComponent\Hosts.Bff.Blazor.PerComponent.Client\Hosts.Bff.Blazor.PerComponent.Client.csproj" />
-    <ProjectReference
-      Include="..\Blazor\PerComponent\Hosts.Bff.Blazor.PerComponent\Hosts.Bff.Blazor.PerComponent.csproj" />
-    <ProjectReference
-      Include="..\Blazor\WebAssembly\Hosts.Bff.Blazor.WebAssembly.Client\Hosts.Bff.Blazor.WebAssembly.Client.csproj" />
-    <ProjectReference
-      Include="..\Blazor\WebAssembly\Hosts.Bff.Blazor.WebAssembly\Hosts.Bff.Blazor.WebAssembly.csproj" />
+    <ProjectReference Include="..\Blazor\PerComponent\Hosts.Bff.Blazor.PerComponent.Client\Hosts.Bff.Blazor.PerComponent.Client.csproj" />
+    <ProjectReference Include="..\Blazor\PerComponent\Hosts.Bff.Blazor.PerComponent\Hosts.Bff.Blazor.PerComponent.csproj" />
+    <ProjectReference Include="..\Blazor\WebAssembly\Hosts.Bff.Blazor.WebAssembly.Client\Hosts.Bff.Blazor.WebAssembly.Client.csproj" />
+    <ProjectReference Include="..\Blazor\WebAssembly\Hosts.Bff.Blazor.WebAssembly\Hosts.Bff.Blazor.WebAssembly.csproj" />
     <ProjectReference Include="..\Hosts.IdentityServer\Hosts.IdentityServer.csproj" />
 
 
     <ProjectReference Include="..\..\templates\src\BffLocalApi\BffLocalApi.csproj" />
     <ProjectReference Include="..\..\templates\src\BffRemoteApi\BffRemoteApi.csproj" />
-    <ProjectReference
-      Include="..\..\templates\src\BffBlazorAutoRenderMode\BffBlazorAutoRenderMode\BffBlazorAutoRenderMode.csproj" />
+    <ProjectReference Include="..\..\templates\src\BffBlazorAutoRenderMode\BffBlazorAutoRenderMode\BffBlazorAutoRenderMode.csproj" />
 
   </ItemGroup>
 

diff --git a/bff/hosts/Hosts.AppHost/Program.cs b/bff/hosts/Hosts.AppHost/Program.cs
@@ -18,6 +18,16 @@
     .WithAwaitedReference(api)
     ;
 
+var bffMulti = builder.AddProject<Projects.Hosts_Bff_MultiFrontend>(AppHostServices.BffMultiFrontend)
+    .WithExternalHttpEndpoints()
+    .WithUrl("https://app1.localhost:5005", "https://app1.localhost:5005")
+    .WithUrl("https://localhost:5005/with-path", "https://localhost/with-path")
+    .WithAwaitedReference(idServer)
+    .WithAwaitedReference(isolatedApi)
+    .WithAwaitedReference(api)
+    ;
+
+
 var bffEf = builder.AddProject<Projects.Hosts_Bff_EF>(AppHostServices.BffEf)
     .WithExternalHttpEndpoints()
     .WithAwaitedReference(idServer)
@@ -48,11 +58,13 @@
 
 idServer
     .WithReference(bff)
+    .WithReference(bffMulti)
     .WithReference(bffEf)
     .WithReference(bffBlazorPerComponent)
     .WithReference(bffBlazorWebAssembly)
     .WithReference(apiDPop)
-    .WithReference(bffDPop);
+    .WithReference(bffDPop)
+    ;
 
 builder.AddProject<BffLocalApi>(AppHostServices.TemplateBffLocal, launchProfileName: null)
     .WithHttpsEndpoint(5300, name: "bff-local");
@@ -62,6 +74,8 @@
 
 builder.AddProject<BffBlazorAutoRenderMode>(AppHostServices.TemplateBffBlazor);
 
+
+
 builder.Build().Run();
 
 public static class Extensions

diff --git a/bff/hosts/Hosts.AppHost/Properties/launchSettings.json b/bff/hosts/Hosts.AppHost/Properties/launchSettings.json
@@ -4,7 +4,7 @@
     "https": {
       "commandName": "Project",
       "dotnetRunMessages": true,
-      "launchBrowser": true,
+      "launchBrowser": false,
       "applicationUrl": "https://localhost:17052;http://localhost:15279",
       "environmentVariables": {
         "ASPNETCORE_ENVIRONMENT": "Development",

diff --git a/bff/hosts/Hosts.Bff.DPoP/Extensions.cs b/bff/hosts/Hosts.Bff.DPoP/Extensions.cs
@@ -3,6 +3,7 @@
 
 using System.Security.Cryptography;
 using System.Text.Json;
+using Duende.AccessTokenManagement.OpenIdConnect;
 using Duende.Bff;
 using Duende.Bff.AccessTokenManagement;
 using Duende.Bff.Yarp;
@@ -31,7 +32,7 @@ public static WebApplication ConfigureServices(this WebApplicationBuilder builde
                         {
                             Path = "/yarp/user-token/{**catch-all}"
                         }
-                    }.WithAccessToken(TokenType.User).WithAntiforgeryCheck(),
+                    }.WithAccessToken(RequiredTokenType.User).WithAntiforgeryCheck(),
                     new RouteConfig()
                     {
                         RouteId = "client-token",
@@ -41,7 +42,7 @@ public static WebApplication ConfigureServices(this WebApplicationBuilder builde
                         {
                             Path = "/yarp/client-token/{**catch-all}"
                         }
-                    }.WithAccessToken(TokenType.Client).WithAntiforgeryCheck(),
+                    }.WithAccessToken(RequiredTokenType.Client).WithAntiforgeryCheck(),
                     new RouteConfig()
                     {
                         RouteId = "user-or-client-token",
@@ -51,7 +52,7 @@ public static WebApplication ConfigureServices(this WebApplicationBuilder builde
                         {
                             Path = "/yarp/user-or-client-token/{**catch-all}"
                         }
-                    }.WithAccessToken(TokenType.UserOrClient).WithAntiforgeryCheck(),
+                    }.WithAccessToken(RequiredTokenType.UserOrClient).WithAntiforgeryCheck(),
                     new RouteConfig()
                     {
                         RouteId = "anonymous",
@@ -61,7 +62,8 @@ public static WebApplication ConfigureServices(this WebApplicationBuilder builde
                         {
                             Path = "/yarp/anonymous/{**catch-all}"
                         }
-                    }.WithAntiforgeryCheck()
+                    }
+                        .WithAntiforgeryCheck()
             },
             new[]
             {
@@ -83,7 +85,7 @@ public static WebApplication ConfigureServices(this WebApplicationBuilder builde
                 var jwkKey = JsonWebKeyConverter.ConvertFromSecurityKey(rsaKey);
                 jwkKey.Alg = "PS256";
                 var jwk = JsonSerializer.Serialize(jwkKey);
-                options.DPoPJsonWebKey = jwk;
+                options.DPoPJsonWebKey = DPoPProofKey.Parse(jwk);
             })
             .AddRemoteApis()
             .AddServerSideSessions();
@@ -183,21 +185,21 @@ private static void MapRemoteUrls(IEndpointRouteBuilder app)
     {
         // On this path, we use a client credentials token
         app.MapRemoteBffApiEndpoint("/api/client-token", "https://localhost:5011")
-            .RequireAccessToken(TokenType.Client);
+            .WithAccessToken(RequiredTokenType.Client);
 
         // On this path, we use a user token if logged in, and fall back to a client credentials token if not
         app.MapRemoteBffApiEndpoint("/api/user-or-client-token", "https://localhost:5011")
-            .RequireAccessToken(TokenType.UserOrClient);
+            .WithAccessToken(RequiredTokenType.UserOrClient);
 
         // On this path, we make anonymous requests
         app.MapRemoteBffApiEndpoint("/api/anonymous", "https://localhost:5011");
 
         // On this path, we use the client token only if the user is logged in
         app.MapRemoteBffApiEndpoint("/api/optional-user-token", "https://localhost:5011")
-            .WithOptionalUserAccessToken();
+            .WithAccessToken(RequiredTokenType.UserOrNone);
 
         // On this path, we require the user token
         app.MapRemoteBffApiEndpoint("/api/user-token", "https://localhost:5011")
-            .RequireAccessToken();
+            .WithAccessToken();
     }
 }
diff --git a/bff/hosts/Hosts.Bff.DPoP/Properties/launchSettings.json b/bff/hosts/Hosts.Bff.DPoP/Properties/launchSettings.json
@@ -1,9 +1,9 @@
-{
+{
   "profiles": {
     "Bff.DPoP": {
       "commandName": "Project",
       "dotnetRunMessages": true,
-      "launchBrowser": true,
+      "launchBrowser": false,
       "applicationUrl": "https://localhost:5003",
       "environmentVariables": {
         "ASPNETCORE_ENVIRONMENT": "Development"

diff --git a/bff/hosts/Hosts.Bff.EF/Extensions.cs b/bff/hosts/Hosts.Bff.EF/Extensions.cs
@@ -108,7 +108,7 @@ public static WebApplication ConfigurePipeline(this WebApplication app)
         // user or client access token will be attached in API call
         // user access token will be managed automatically using the refresh token
         app.MapRemoteBffApiEndpoint("/api", "https://localhost:5010")
-            .RequireAccessToken(TokenType.UserOrClient);
+            .WithAccessToken(RequiredTokenType.UserOrClient);
 
         return app;
     }

diff --git a/bff/hosts/Hosts.Bff.EF/Properties/launchSettings.json b/bff/hosts/Hosts.Bff.EF/Properties/launchSettings.json
@@ -1,13 +1,13 @@
-{
+{
   "profiles": {
     "Bff.EntityFramework": {
       "commandName": "Project",
       "dotnetRunMessages": true,
-      "launchBrowser": true,
+      "launchBrowser": false,
       "applicationUrl": "https://localhost:5004",
       "environmentVariables": {
         "ASPNETCORE_ENVIRONMENT": "Development"
       }
     }
   }
-}
+}
diff --git a/bff/hosts/Hosts.Bff.InMemory/Extensions.cs b/bff/hosts/Hosts.Bff.InMemory/Extensions.cs
@@ -1,6 +1,7 @@
 // Copyright (c) Duende Software. All rights reserved.
 // See LICENSE in the project root for license information.
 
+using Duende.AccessTokenManagement.OpenIdConnect;
 using Duende.Bff;
 using Duende.Bff.AccessTokenManagement;
 using Duende.Bff.Configuration;
@@ -128,34 +129,34 @@ public static WebApplication ConfigurePipeline(this WebApplication app)
 
         // On this path, we use a client credentials token
         app.MapRemoteBffApiEndpoint("/api/client-token", "https://localhost:5010")
-            .RequireAccessToken(TokenType.Client);
+            .WithAccessToken(RequiredTokenType.Client);
 
         // On this path, we use a user token if logged in, and fall back to a client credentials token if not
         app.MapRemoteBffApiEndpoint("/api/user-or-client-token", "https://localhost:5010")
-            .RequireAccessToken(TokenType.UserOrClient);
+            .WithAccessToken(RequiredTokenType.UserOrClient);
 
         // On this path, we make anonymous requests
         app.MapRemoteBffApiEndpoint("/api/anonymous", "https://localhost:5010");
 
         // On this path, we use the client token only if the user is logged in
         app.MapRemoteBffApiEndpoint("/api/optional-user-token", "https://localhost:5010")
-            .WithOptionalUserAccessToken();
+            .WithAccessToken(RequiredTokenType.UserOrNone);
 
         // On this path, we require the user token
         app.MapRemoteBffApiEndpoint("/api/user-token", "https://localhost:5010")
-            .RequireAccessToken();
+            .WithAccessToken();
 
         // On this path, we perform token exchange to impersonate a different user
         // before making the api request
         app.MapRemoteBffApiEndpoint("/api/impersonation", "https://localhost:5010")
-            .RequireAccessToken()
+            .WithAccessToken()
             .WithAccessTokenRetriever<ImpersonationAccessTokenRetriever>();
 
         // On this path, we obtain an audience constrained token and invoke
         // a different api that requires such a token
         app.MapRemoteBffApiEndpoint("/api/audience-constrained", "https://localhost:5012")
-            .RequireAccessToken()
-            .WithUserAccessTokenParameter(new BffUserAccessTokenParameters(resource: "urn:isolated-api"));
+            .WithAccessToken()
+            .WithUserAccessTokenParameter(new BffUserAccessTokenParameters { Resource = Resource.Parse("urn:isolated-api") });
 
         return app;
     }

diff --git a/bff/hosts/Hosts.Bff.InMemory/ImpersonationAccessTokenRetriever.cs b/bff/hosts/Hosts.Bff.InMemory/ImpersonationAccessTokenRetriever.cs
@@ -9,9 +9,9 @@ namespace Bff;
 
 public class ImpersonationAccessTokenRetriever(IAccessTokenRetriever inner) : IAccessTokenRetriever
 {
-    public async Task<AccessTokenResult> GetAccessToken(AccessTokenRetrievalContext context)
+    public async Task<AccessTokenResult> GetAccessTokenAsync(AccessTokenRetrievalContext context, CancellationToken ct = default)
     {
-        var result = await inner.GetAccessToken(context);
+        var result = await inner.GetAccessTokenAsync(context, ct);
 
         if (result is BearerTokenResult bearerToken)
         {
@@ -26,18 +26,28 @@ public async Task<AccessTokenResult> GetAccessToken(AccessTokenRetrievalContext
 
                 SubjectToken = bearerToken.AccessToken,
                 SubjectTokenType = OidcConstants.TokenTypeIdentifiers.AccessToken
-            });
+            }, cancellationToken: ct);
             if (exchangeResponse.AccessToken is null)
             {
-                return new NoAccessTokenReturnedError("Token exchanged failed. Access token is null");
+                return new AccessTokenRetrievalError
+                {
+                    Error = "Token exchanged failed. Access token is null"
+                };
             }
 
             if (exchangeResponse.IsError)
             {
-                return new AccessTokenRetrievalError($"Token exchanged failed: {exchangeResponse.ErrorDescription}");
+                return new AccessTokenRetrievalError
+                {
+                    Error = exchangeResponse.Error ?? "Failed to get access token",
+                    ErrorDescription = exchangeResponse.ErrorDescription
+                };
             }
 
-            return new BearerTokenResult(exchangeResponse.AccessToken);
+            return new BearerTokenResult
+            {
+                AccessToken = AccessToken.Parse(exchangeResponse.AccessToken)
+            };
         }
 
         return result;

diff --git a/bff/hosts/Hosts.Bff.InMemory/Properties/launchSettings.json b/bff/hosts/Hosts.Bff.InMemory/Properties/launchSettings.json
@@ -1,9 +1,9 @@
-{
+{
   "profiles": {
     "Bff": {
       "commandName": "Project",
       "dotnetRunMessages": true,
-      "launchBrowser": true,
+      "launchBrowser": false,
       "applicationUrl": "https://localhost:5002",
       "environmentVariables": {
         "ASPNETCORE_ENVIRONMENT": "Development"