Question: how to get an resource access token? about angular-auth-oidc-client HOT 13 CLOSED

Yes you could just use the id_token token flow. No need to get the access_token a second time.

Greetings Damien

from angular-auth-oidc-client.

Hi @MovGP0

OpenID Implicit Flow (id_token token) => web clients which access APIs

This PR makes it possible to get the id_token (Will be merged next week when I have a PC again)

https://github.com/damienbod/angular-auth-oidc-client/pull/49/files

Why do you need the id_token?

Greetings Damien

from angular-auth-oidc-client.

@MovGP0 If you use the id_token token Implicit Flow, you will recive the access_token back.

The getToken method then returns the access token.

https://github.com/damienbod/angular-auth-oidc-client/blob/master/src/services/oidc.security.service.ts#L111

Greetings Damien

from angular-auth-oidc-client.

the access token I get is for the STS. But I figured out a method that works for me:

• the Client gets the Access Token and the Refresh Token from the STS using the Implicit Flow
• the Client send the Access Token to the Resource
• the Resource uses the IdentityEndpoint to validate the token and get the user information
• If the user has the proper role claims, the Resource invokes the TokenEndpoint of the STS to get an Resource Access Token for the Resource using Code Flow
• the Resource Access Token gets send to the client
• the client caches the Resource Access Token
• the client uses the Resource Access Token to access the protected resources (without additional round trips).

I am just wondering if there is a simpler solution...

from angular-auth-oidc-client.

well, how do I get the id_token then? the .getToken() method returns the STS access token, and the .getUserData() method doesn't return the ID token either, but only its decoded variant.

Apparently, the id_token gets saved to the storage, but doesn't get exposed by the OidcSecurityCommon service like the access token.

from angular-auth-oidc-client.

btw: i am not fully sure what an ID Token flow is. There is

• Implicit Flow (for web clients)
• Authorization Code Flow (3-ledged OAuth flow)
• Resource Owner Password Credentials Flow
• Client Credentials Flow / Code Flow (for clients with secrets)
• Hybrid Flow (basically what I do if I understand it correctly [which might not be true], but with an additional roundtrip for checking the user roles)

sources:

• OpenID Connect Flows
• Biehl, Matthias. OAuth 2.0: Schnelleinstieg in Web-API Security (API University Series) (German Edition) (Kindle Location 209). Matthias Biehl. Kindle Edition.

from angular-auth-oidc-client.

what I need are

1. User Claims in the frontend to enable and disable visible functionality; .userData() is fine for that.
2. Resource Access Tokens for the resources (there are more than one)

what I have is after the Implicit Flow is

1. the User Claims (id token)
2. the STS Access Token (can be used to get additional tokens from the token endpoint)

from angular-auth-oidc-client.

@MovGP0

The access_token can be used to access the user data endpoint which has the user claims. (or userData which is the same for the id_token token flow.

The access_token is also used for the APIs

Why do you need additional tokens?

Greetings Damien

from angular-auth-oidc-client.

when accessing the API, I don't want to invoke the User Data Endpoint every time for performance reasons. So my current method is that the Resource invokes the User Data Endpoint only once and gives the Client an Ressource Access Token when the Resource Owner has the appropriate claims.

The Client can cache this Ressource Access Token and use it to access the Resource.

• The advantage is that the Ressource can validate this token without additional round trips to the UDE.
• The drawback is that I need to cache and refresh the Resource Access Tokens.

Note: the Resource can issue the Ressource Access Token himself or via the Token Endpoint from the STS. Both methods should work.

from angular-auth-oidc-client.

the problem I have with the access_token is that it is issued with

{
   "aud": "sts.mydomain.com"
}

what I would need is:

{
   "aud": "sts.mydomain.com", 
   "aud": "resource1.mydomain.com", 
   "aud": "resource2.mydomain.com"
}

from angular-auth-oidc-client.

You should use, scopes, or api resources claims for this.

aud
REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case-sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case-sensitive string.

Here's an example:

https://github.com/damienbod/AspNet5IdentityServerAngularImplicitFlow/blob/master/src/ResourceServer/Startup.cs#L108

https://github.com/damienbod/AspNet5IdentityServerAngularImplicitFlow/blob/master/src/AngularClient/angularApp/app/app.module.ts#L66

https://github.com/damienbod/AspNet5IdentityServerAngularImplicitFlow/blob/master/src/IdentityServerWithIdentitySQLite/Config.cs#L27

from angular-auth-oidc-client.

But it should be possible to add multiple aud values in IdentityServer4 to the access_token so only 1 token is required.

from angular-auth-oidc-client.

I guess it is. Just haven't figured it out yet.

As I understand it, I need to do the following:

1. create an API Resource for each Resource Server.
2. bundle claims into Scopes that the user can allow or deny.
3. add the Scopes to the appropriate API Resources
4. configure UserClaims, which the ApiResource can get from the user.
5. when asking for the access token handle the name of the ApiResource as a claim
6. IdentityServer's IProfileService enriches and filters the claims for the Access Token based on the user properties
7. the access token should now contain all the requested ApiResource names in the audience field

from angular-auth-oidc-client.