In a SPA environment using IdentityServer4 and OIDC-Client, what's the most secure approach to do the following with multiple external providers?
Essentially, if a user logs in with Google I need to log into my internal system and create new claims. This has to be done server-side post-third-party callback. What's the most secure configuration within IdentityServer4 to do this in a SPA?
Flow:
- User logs into Google in SPA (call oidcManager.signinRedirect)
- Google redirects back to SPA (cal new Oidc.UserManager().signinRedirectCallback)
- Send JWT back to IdentityServer4 (but which mechanism to use?). If user does exist in internal system, return a new JWT with my custom claims that OIDCManager can manage (replacing the external one). If user does not exist in internal system, redirec to login page where resource owner credential flow takes over.
For #3, I's like to use what IdentityServer4 already provides instead of rolling my own endpoint. Is this scenario easily supported?
Essentially, I need to complete this but not sure how IdentityServer4 would handle this scenario:
new Oidc.UserManager().signinRedirectCallback().then(function (externalUser) {
//TODO: pass externalUser to IdentityServer4 endpoint where it's exchanged for internal user
window.location = "../Spa/Index";
}).catch(function (e) {
console.error(e);
});
In addition to the login flow, what's the most secure approach to do a token refresh with multiple external providers. I'm assuming I need to refresh the external token periodically in case my own internal token expires.
