Hi Harry Lau,

Sorry for the late reply. If I understand you correctly, I think I agree! Allow me to elaborate:

Frankly, it depends. Assume an enterprise environment where domain services are built to be used by various applications in the landscape. In that case, in fact, using "traditional" session authentication would do just fine.

I can also think of other cases where the identity of the end-user needs to be forwarded to down-stream services. In that case, in contrast to traditional session authentication, you would need to store the access token somewhere (and renew it every once in a while) to be able to forward it.

There are various ways of doing just this. In this article i pointed out a .net based solution, but there are various others:

* GoCloudNative.Bff

* OAuth2Proxy

* Duende.BFF

* And several others...

For session auth in .net you could use standard authentication middleware. Also, i think Easy Auth is an interesting option to consider if you are running your app on Azure.

Hope this answers your question?