1

This is my current setup:

  • IdentityServer4
  • API (Bearer authentication)
  • SPA page (oidc-client implicit flow redirected to IdentityServer4 Quickstart UI)
  • Native application (written i C#)

The native application already have the users credentials. I want to provide a web link to the SPA page from the native application, but I don't want to force the user to login again when navigating to the web. Instead I want to move their current session to the web page.

Is it possible to "inject" the access token into the oidc-client? (using a url fragment). Or is there any other flow or way to make this work?

user1112634
  • 245
  • 2
  • 9

1 Answers1

2

In general the answer should be: you are on a wrong way.
Look: you use resource owner password flow in your native app and that's wrong. It's not interactive, meaning not only IdP has access to the credentials. In general such flow is recommended for test purposes etc, not for general use. One huge limitation of the non-interactive flow is that it does not create a user session. If you switch your native app to an interactive flow such as Code flow with PKCE extension, it will create the session. After that your other app will get authenticated automatically whenever the session cookie for Identity server is alive.
NB: If you don't like to improve your architecture, you are free to do whatever you like, including providing a token in the link. That token will still be valid for calling the API. But that will be not the implicit flow, you will not have a session, nor the possibility to use silent refresh feature.

d_f
  • 4,599
  • 2
  • 23
  • 34
  • Agreed. This is the correct way to do it if you want SSO between those two client applications. – mackie Mar 21 '19 at 18:18
  • Thank you both for your input! If there would be only one "user account" for all users in the system (for this specific service), could client credentials flow with the native application (shared secret with the idsrv) and sending the access token to the SPA work without breaking any best practises? – user1112634 Mar 22 '19 at 10:33
  • 1
    hmm... sounds strange. when two people know a secret, it's not a secret anymore, so why do you need any real security system in that case?.. hard to understand what you really need without seeing the whole scenario. But, yes, you may use client credentials to authorize your apps and skip user authentication at all. – d_f Mar 22 '19 at 12:35
  • Tested a bit with client credentials, but it won’t work since you can’t set a subject in the access token. We already have our API, Idsrv (with authentication against our own internal user accounts) and the SPA. The “native application” is another department’s legacy application, that will use one of our own user accounts for all of their users. And it’s from this application they have to access our SPA. The legacy application will always have the credentials for this account. – user1112634 Mar 22 '19 at 13:28
  • 1
    well, so you need to pass the sub claim to your SPA? you can implement that with a delegation pattern, described in idsrv docs. but looking at your strange configuration, I don't think you really need that. you can just continue with "resource owner password", and pass the token to your SPA, as you wanted from the beginning. just keep in mind, you'll never have a real user session in your app unless the IdP provides it for you. – d_f Mar 22 '19 at 13:46
  • @d_f yes the configuration is quite strange, however it's only a temporary solution for now. Thank you for all the help in this matter – user1112634 Mar 22 '19 at 14:30