I am trying to use openid connect to create a SSO for my application.
Basically we have one API layer and different Apps (clients) will consume the service of this layer.
To start with we added OAuth2.0 for authorization for each of the different apps; for authentication we are currently using our own database (IDP)
We want to the end users to have a single sign on experience for this flow. To have that we added openid on top of the OAuth flow we have built.
The web server has the standard oauth + openid implementation and has the following
- Explicit Flow
- Implicit Flow
- Password Grant
On adding the openid connect, the server now has the ability to send the id_token (jwt) as well, depending on the scope and request type
There are two clients registered (C1 & C2)
Step 1: C1 follows explicit flow and uses response type as code, so when a user (U1) access C1 it is redirected to the authentication server where U1 enters the credentials.
Step 2: The authorization server validates the credentials and prompts for the user consent, confirming which sends out the code to the redirect_uri of C1
Step 3: C1 then requests for a token and the server gives out an access_token and an id_token; the access token being persisted in the database
Step 4: U1 now needs to access C2
Questions:
- What would be the best way/practice for C2 to get the access token from the api sever without having the user to login again.
- If C1 passes the jwt id_token to C2 through local-storage or any other means, one possible way would be to exchange the id_token for an access_token following this.
- If we go with the above approach, would it be sufficient to just verify the id_token and issue the access_token or should we add any other check
- Any other approach.
Thanks