OAuth2 flows using Refit with Asp Net Core 2.1

Well, I have a WebApi using Asp Net Core 2.1 that have some security endpoints, so I have the following:

services.AddAuthentication(options =>{
              options.DefaultAuthenticateScheme=JwtBearerDefaults.AuthenticationScheme;
              options.DefaultChallengeScheme=JwtBearerDefaults.AuthenticationScheme;}).AddJwtBearer(options =>{
              options.Authority= configuration["Authorization:Domain"];
              options.Audience= configuration["Authorization:ApiIdentifier"];
              options.TokenValidationParameters=newTokenValidationParameters(){ValidateLifetime= configuration["Authorization:ValidateLifetime"]==null?true:Boolean.Parse(configuration["Authorization:ValidateLifetime"])};
              options.RequireHttpsMetadata= configuration["Authorization:RequireHttpsMetadata"]==null?true:Boolean.Parse(configuration["Authorization:RequireHttpsMetadata"]);});

This works very well when someone calls my API, the validation is OK. I'm using http://auth0.com/ as an authorization provider.

Now I need to call other APIs that have security endpoints too, using Authorization Bearer Token (JWT). The flow that I should use in this case is Client Credentials. So, I have the steps:

1. Someone calls my API
2. My API validates Jwt Token using auth0.com as authorization provider
3. I need to call other API, so I'm using Refit Library

My Refit interface:

Well, I have a WebApi using Asp Net Core 2.1 that have some security endpoints, so I have the following:

services.AddAuthentication(options =>{
              options.DefaultAuthenticateScheme=JwtBearerDefaults.AuthenticationScheme;
              options.DefaultChallengeScheme=JwtBearerDefaults.AuthenticationScheme;}).AddJwtBearer(options =>{
              options.Authority= configuration["Authorization:Domain"];
              options.Audience= configuration["Authorization:ApiIdentifier"];
              options.TokenValidationParameters=newTokenValidationParameters(){ValidateLifetime= configuration["Authorization:ValidateLifetime"]==null?true:Boolean.Parse(configuration["Authorization:ValidateLifetime"])};
              options.RequireHttpsMetadata= configuration["Authorization:RequireHttpsMetadata"]==null?true:Boolean.Parse(configuration["Authorization:RequireHttpsMetadata"]);});

This works very well when someone calls my API, the validation is OK. I'm using http://auth0.com/ as an authorization provider.

Now I need to call other APIs that have security endpoints too, using Authorization Bearer Token (JWT). The flow that I should use in this case is Client Credentials. So, I have the steps:

1. Someone calls my API
2. My API validates Jwt Token using auth0.com as authorization provider
3. I need to call other API, so I'm using Refit Library

My Refit interface:

publicinterfaceIUserInfoApi{[Get("/api/v2/users/{userId}")][Headers("Authorization: Bearer")]Task<UserInfoDto>GetUserInfoAsync(string userId);}

And I created I handler to add Bearer token to my request:

//refit apis
      services.AddRefitClient<IUserInfoApi>().AddHttpMessageHandler<AuthorizationMessageHandler>().ConfigureHttpClient(c => c.BaseAddress=newUri(configuration["Api:UserInfo"]));

And my handler:

protectedoverrideasyncTask<HttpResponseMessage>SendAsync(HttpRequestMessage request,CancellationToken cancelToken){HttpRequestHeaders headers = request.Headers;AuthenticationHeaderValue authHeader = headers.Authorization;if(authHeader !=null)
        headers.Authorization=newAuthenticationHeaderValue(authHeader.Scheme, JWT_TOKEN);returnawaitbase.SendAsync(request, cancelToken);}

This works, but I think is too much manually and error-prone:

1. There is a lot of OAuth2 flows to implement manually, to generate a token (client credentials, implicit flow, authorization code flow and others).
2. I have to implement refresh token logic.
3. I have to implement some logic to reuse token if the expiration time is valid yet, instead generate a new token every time (hit /token endpoint every time without needed).

I worked a lot with Spring Security framework, and I can just say: "Spring, I'm using OAuth here, so insert Bearer token in every HTTP requests, please". Spring, intercepts all requests that I set in configuration and OAuth flow is respected (Client Credentials, Authorization COde Flow, and others), it's transparent for me, I don't need wast my time with it.

There is any way to do it in Asp Net Core 2.1 or I need to implement manually the token generate flow?