Angular-auth-oidc-client: Support B2C multi scopes access for different APIs
Hi, we have a problem that our angular client need to have an access for two different APIs based on azure B2C (both have different scopes). B2C has policy that each resource (scope) must have its own token so we can't use one access token to authorize two different api.
Our suggestion is support B2C multi scopes that will generate token for each scope. We are concious that its a lot of effort from your side so we propose to prepare that solution and create pull request during next week.
What do you think about that idea ?
paszkowskik
All 12 comments
@paszkowskik
Sounds great, thanks. I think this could be implemented pretty easy. The first login requests the id_token token (one scope). Then the app could then request a second token using the token endpoint, which needs to be implemented in this lib
opinion?
Greetings Damien
damienbod
on 18 Dec 2017
I am not sure that I understand your vision, can you explain it more ?
paszkowskik
on 18 Dec 2017
Hopefully I understood correctly :)
You need 2 access tokens, one per API. The first access token can be got by doing the id_token token flow. Only token per scope. Then after a successfull login, you can use this access_token and request a second token using the OIDC token endpoint, wich returns the second token with the other scope.
The package would then need to support the OIDC token endpoint and then you would need to add application logic. This would be an extra HTTP request after a successful login. And you continue to use standard OIDC flows
? Just a suggestion.
What were you thinking?
Greetings Damien
damienbod
on 18 Dec 2017
Now we understand it clear. Solution that you propose is simple and exacly that we need. Only one problem more is how to handle scopes config (maybe it should has names like key - value) and corelation of conqret scope with conqret access token.
Can you provide features that you described in previous post ?
paszkowskik
on 18 Dec 2017
Yes, but it might take a while, I'm very busy at my day job, will try to get it done before XMAS, unless you do a PR first
Thanks for the feedback.
greetings Damien
damienbod
on 18 Dec 2017
Great, so we are waiting for future release. It would be nice to have that feature after new year. Thank you
paszkowskik
on 18 Dec 2017
@paszkowskik Just 1 thing, you should check if the B2C STS supports this first. Is this possible to config the token endpoint in this way? I will implement this using IdentityServer4 as the STS. If we use the OIDC token endpoint, it should work without any further changes.
damienbod
on 19 Dec 2017
Yes we will check it today to be sure about possible implementation by /token endpoint
paszkowskik
on 19 Dec 2017
Its seems like B2C its not the same like Identity Server 4 because propably we cannot use /token endpoint to get access token for another scope. We are still analyse that how it works in B2C. Currently we have to hold that work because from tommorow everyone has holidays until new year.
paszkowskik
on 20 Dec 2017
Could you tell us which grant type you would to use in that case ?
paszkowskik
on 20 Dec 2017
@paszkowskik Sorry missed this issue...
Do you still have questions here?
Greetings Damien
damienbod
on 17 May 2018
Hi, sorry for late answer. We have changed the library few months ago. We experienced problem with token refresh, especially on IE it hang up whole app during token refresh for 3 seconds. it was because whole app was loaded into iframe (it shouldnt work like that). We changed library where silent refresh is implemented correctly.
paszkowskik
on 23 May 2018
Related issues
yelhouti
路
4Comments
jhossy
路
4Comments
JohnGalt1717
路
3Comments
vicver82
路
4Comments
toddtsic
路
4Comments