3

I had an application that does authentication of User and store access token generated based on client_id #1 securely. Know in second application I need access token based on client_id#2 without user needs to log in.

What are ways to generate access_token based on client id if access token is available for another application?

Roll no1
  • 1,315
  • 1
  • 16
  • 23
  • Is there possibility to use SSO through browser ? If that's the case you can share the login of user and omit the re-login – Kavindu Dodanduwa Dec 12 '19 at 19:08
  • If it can be done through a browser, it can be replicated through API. Can you elaborate what actually I need to do here? – Roll no1 Dec 13 '19 at 10:10

1 Answers1

1

No, you can't generate own access token on your own (OK, you can. But every proper OIDC implementation will ignore it, because token won't be signed properly by IdP key, so it can't be verified). Access token is always created&signed by Identity Provider (Okta in your case).

However if both clients are in the same realm (realm is a Keycloak term, Okta may use different term - domain, pool, whatever), then they share IdP session. So if user is logged via client_id#1 (IdP session is in place) and you will initiate login procedure via client_id#2, users won't be requested to login again and access token will be issued by IdP in a jiffy*. That is single sign-on feature of OIDC protocol.

*That's not applicable for some special edge cases e.g.: direct access grants was used for client_id#1 login, consent is required, ...

Jan Garaj
  • 25,598
  • 3
  • 38
  • 59
  • I am not generating access token by own. Token will be generated by IdP(Okta here). As you mentioned both of these applications are under the same domain we can use session token to get a new access token based on client id. Will it be good practise/process to follow for OIDC flow ? – Roll no1 Dec 18 '19 at 08:16
  • @Rollno1 I'm confused. So what is a problem? You already have everything what you need. – Jan Garaj Dec 18 '19 at 08:19
  • My apologies if the confusion is created. The problem is how to handle the expiry of Session token? I can renew access token using refresh while there is no way available for refreshing the session token if it got expired. – Roll no1 Dec 18 '19 at 09:45
  • What is `Session token`? – Jan Garaj Dec 18 '19 at 11:10
  • A session token is a one-time bearer token that provides proof of authentication and may be redeemed for an interactive SSO session in Okta in a user agent. Session tokens can only be used once to establish a session for a user and are revoked when the token expires. https://developer.okta.com/docs/reference/api/sessions/#session-token – Roll no1 Dec 18 '19 at 14:07