Implement OpenID Connect without oidc-client-js

1
votes

I am busy integrating a new React front end with a .net Core API, using Identity Server 4.

The flow type we are using is Resource Owner Password Credentials.

There are two reasons I do not wish to use oidc-client-js:

  1. It is 433 KB
  2. It does not support our flow type

At the moment I am able to get the discovery document and login using the token_endpoint. The return after I login contains: access_token, expires_in and token_type but not session_state.

I am currently attempting to replicate the CheckSessionIFrame as can be seen in the oidc-client-js repository.
It is constructed with callback, client_id, url & interval and started by passing in the session_state.

My problem is that I cannot figure out how to get the session_state from Identity Server 4.

  1. I would appreciate any advice on the situation as a whole.
  2. Can you explain to me how I can get the session_state?

Many thanks
Charles

1
.netopenid-connectidentityserver4

1 Answers

2
votes

Resource Owner Flow does not allow for sessions because it is a browserless flow much like the client credentials flow. In other words, IdentityServer4 cannot issue a cookie for your session.

oidc-js probably does not support password grant because it is a simple restful call, nothing too complicated.

If you want checksession you will need to use a human interaction based flow like implicit flow.