Styjun

Short story about space worker geeks who zone out by 'listening' to radiation from stars

Tiptoe or tiphoof? Adjusting words to better fit fantasy races

Why Were Madagascar and New Zealand Discovered So Late?

Valid Badminton Score?

There is only s̶i̶x̶t̶y one place he can be

Why are on-board computers allowed to change controls without notifying the pilots?

How could Frankenstein get the parts for his _second_ creature?

Is a roofing delivery truck likely to crack my driveway slab?

Hostile work environment after whistle-blowing on coworker and our boss. What do I do?

Where in the Bible does the greeting ("Dominus Vobiscum") used at Mass come from?

Is there an Impartial Brexit Deal comparison site?

Implement the Thanos sorting algorithm

Increase performance creating Mandelbrot set in python

Is expanding the research of a group into machine learning as a PhD student risky?

Was Spock the First Vulcan in Starfleet?

How do I rename a LINUX host without needing to reboot for the rename to take effect?

Is there a problem with hiding "forgot password" until it's needed?

Can I use my Chinese passport to enter China after I acquired another citizenship?

Are there any comparative studies done between Ashtavakra Gita and Buddhim?

Your magic is very sketchy

Will it be accepted, if there is no ''Main Character" stereotype?

Coordinate position not precise

How does residential electricity work?

What would happen if the UK refused to take part in EU Parliamentary elections?

Transfer the authenticated user to a SPA without forcing them to re-enter their credentials

What is the purpose of the implicit grant authorization type in OAuth 2?How to use 3rd party authentication services in a SPA without cookies?Swapping an external identity provider token with internal identity provider token using OIDC Client and IdentityServer4oidc-client-js and basic authenticationAuthentication flow for temporary credentials in the browserWhen to use which OIDC/OAuth flow?IdentityServer4 - How to Implement Impersonationidentityserver4 with oidc-client implicit flow redirect not showing login pageHow Sign Out a User from all the locationsEmbedded OAuth2 app - parent application auto sign-in

1

This is my current setup:

• IdentityServer4


• API (Bearer authentication)


• SPA page (oidc-client implicit flow redirected to IdentityServer4 Quickstart UI)


• Native application (written i C#)

The native application already have the users credentials. I want to provide a web link to the SPA page from the native application, but I don't want to force the user to login again when navigating to the web. Instead I want to move their current session to the web page.

Is it possible to "inject" the access token into the oidc-client? (using a url fragment). Or is there any other flow or way to make this work?

oauth identityserver4 oidc oidc-client-js

share|improve this question

asked Mar 21 at 15:26

user1112634user1112634

3517

add a comment | 

1

This is my current setup:

• IdentityServer4


• API (Bearer authentication)


• SPA page (oidc-client implicit flow redirected to IdentityServer4 Quickstart UI)


• Native application (written i C#)

The native application already have the users credentials. I want to provide a web link to the SPA page from the native application, but I don't want to force the user to login again when navigating to the web. Instead I want to move their current session to the web page.

Is it possible to "inject" the access token into the oidc-client? (using a url fragment). Or is there any other flow or way to make this work?

oauth identityserver4 oidc oidc-client-js

share|improve this question

asked Mar 21 at 15:26

user1112634user1112634

3517

add a comment | 

This is my current setup:

• IdentityServer4


• API (Bearer authentication)


• SPA page (oidc-client implicit flow redirected to IdentityServer4 Quickstart UI)


• Native application (written i C#)

The native application already have the users credentials. I want to provide a web link to the SPA page from the native application, but I don't want to force the user to login again when navigating to the web. Instead I want to move their current session to the web page.

Is it possible to "inject" the access token into the oidc-client? (using a url fragment). Or is there any other flow or way to make this work?

oauth identityserver4 oidc oidc-client-js

share|improve this question

asked Mar 21 at 15:26

user1112634user1112634

3517

share|improve this question

asked Mar 21 at 15:26

user1112634user1112634

3517

share|improve this question

asked Mar 21 at 15:26

user1112634user1112634

3517

asked Mar 21 at 15:26

user1112634user1112634

3517

asked Mar 21 at 15:26

user1112634user1112634

3517

1 Answer
1

active

oldest

votes

2

In general the answer should be: you are on a wrong way.
Look: you use resource owner password flow in your native app and that's wrong. It's not interactive, meaning not only IdP has access to the credentials. In general such flow is recommended for test purposes etc, not for general use. One huge limitation of the non-interactive flow is that it does not create a user session. If you switch your native app to an interactive flow such as Code flow with PKCE extension, it will create the session. After that your other app will get authenticated automatically whenever the session cookie for Identity server is alive.
NB: If you don't like to improve your architecture, you are free to do whatever you like, including providing a token in the link. That token will still be valid for calling the API. But that will be not the implicit flow, you will not have a session, nor the possibility to use silent refresh feature.

share|improve this answer

edited Mar 21 at 16:41

answered Mar 21 at 16:21

d_fd_f

6101614

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Agreed. This is the correct way to do it if you want SSO between those two client applications.
  
  – mackie
  Mar 21 at 18:18
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thank you both for your input! If there would be only one "user account" for all users in the system (for this specific service), could client credentials flow with the native application (shared secret with the idsrv) and sending the access token to the SPA work without breaking any best practises?
  
  – user1112634
  Mar 22 at 10:33
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  hmm... sounds strange. when two people know a secret, it's not a secret anymore, so why do you need any real security system in that case?.. hard to understand what you really need without seeing the whole scenario. But, yes, you may use client credentials to authorize your apps and skip user authentication at all.
  
  – d_f
  Mar 22 at 12:35
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Tested a bit with client credentials, but it won’t work since you can’t set a subject in the access token. We already have our API, Idsrv (with authentication against our own internal user accounts) and the SPA. The “native application” is another department’s legacy application, that will use one of our own user accounts for all of their users. And it’s from this application they have to access our SPA. The legacy application will always have the credentials for this account.
  
  – user1112634
  Mar 22 at 13:28
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  well, so you need to pass the sub claim to your SPA? you can implement that with a delegation pattern, described in idsrv docs. but looking at your strange configuration, I don't think you really need that. you can just continue with "resource owner password", and pass the token to your SPA, as you wanted from the beginning. just keep in mind, you'll never have a real user session in your app unless the IdP provides it for you.
  
  – d_f
  Mar 22 at 13:46
  

  
  
  
  

 | 
show 1 more comment

Your Answer

StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55283911%2ftransfer-the-authenticated-user-to-a-spa-without-forcing-them-to-re-enter-their%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

2

In general the answer should be: you are on a wrong way.
Look: you use resource owner password flow in your native app and that's wrong. It's not interactive, meaning not only IdP has access to the credentials. In general such flow is recommended for test purposes etc, not for general use. One huge limitation of the non-interactive flow is that it does not create a user session. If you switch your native app to an interactive flow such as Code flow with PKCE extension, it will create the session. After that your other app will get authenticated automatically whenever the session cookie for Identity server is alive.
NB: If you don't like to improve your architecture, you are free to do whatever you like, including providing a token in the link. That token will still be valid for calling the API. But that will be not the implicit flow, you will not have a session, nor the possibility to use silent refresh feature.

share|improve this answer

edited Mar 21 at 16:41

answered Mar 21 at 16:21

d_fd_f

6101614

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Agreed. This is the correct way to do it if you want SSO between those two client applications.
  
  – mackie
  Mar 21 at 18:18
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thank you both for your input! If there would be only one "user account" for all users in the system (for this specific service), could client credentials flow with the native application (shared secret with the idsrv) and sending the access token to the SPA work without breaking any best practises?
  
  – user1112634
  Mar 22 at 10:33
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  hmm... sounds strange. when two people know a secret, it's not a secret anymore, so why do you need any real security system in that case?.. hard to understand what you really need without seeing the whole scenario. But, yes, you may use client credentials to authorize your apps and skip user authentication at all.
  
  – d_f
  Mar 22 at 12:35
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Tested a bit with client credentials, but it won’t work since you can’t set a subject in the access token. We already have our API, Idsrv (with authentication against our own internal user accounts) and the SPA. The “native application” is another department’s legacy application, that will use one of our own user accounts for all of their users. And it’s from this application they have to access our SPA. The legacy application will always have the credentials for this account.
  
  – user1112634
  Mar 22 at 13:28
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  well, so you need to pass the sub claim to your SPA? you can implement that with a delegation pattern, described in idsrv docs. but looking at your strange configuration, I don't think you really need that. you can just continue with "resource owner password", and pass the token to your SPA, as you wanted from the beginning. just keep in mind, you'll never have a real user session in your app unless the IdP provides it for you.
  
  – d_f
  Mar 22 at 13:46
  

  
  
  
  

 | 
show 1 more comment

2

In general the answer should be: you are on a wrong way.
Look: you use resource owner password flow in your native app and that's wrong. It's not interactive, meaning not only IdP has access to the credentials. In general such flow is recommended for test purposes etc, not for general use. One huge limitation of the non-interactive flow is that it does not create a user session. If you switch your native app to an interactive flow such as Code flow with PKCE extension, it will create the session. After that your other app will get authenticated automatically whenever the session cookie for Identity server is alive.
NB: If you don't like to improve your architecture, you are free to do whatever you like, including providing a token in the link. That token will still be valid for calling the API. But that will be not the implicit flow, you will not have a session, nor the possibility to use silent refresh feature.

share|improve this answer

edited Mar 21 at 16:41

answered Mar 21 at 16:21

d_fd_f

6101614

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Agreed. This is the correct way to do it if you want SSO between those two client applications.
  
  – mackie
  Mar 21 at 18:18
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thank you both for your input! If there would be only one "user account" for all users in the system (for this specific service), could client credentials flow with the native application (shared secret with the idsrv) and sending the access token to the SPA work without breaking any best practises?
  
  – user1112634
  Mar 22 at 10:33
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  hmm... sounds strange. when two people know a secret, it's not a secret anymore, so why do you need any real security system in that case?.. hard to understand what you really need without seeing the whole scenario. But, yes, you may use client credentials to authorize your apps and skip user authentication at all.
  
  – d_f
  Mar 22 at 12:35
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Tested a bit with client credentials, but it won’t work since you can’t set a subject in the access token. We already have our API, Idsrv (with authentication against our own internal user accounts) and the SPA. The “native application” is another department’s legacy application, that will use one of our own user accounts for all of their users. And it’s from this application they have to access our SPA. The legacy application will always have the credentials for this account.
  
  – user1112634
  Mar 22 at 13:28
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  well, so you need to pass the sub claim to your SPA? you can implement that with a delegation pattern, described in idsrv docs. but looking at your strange configuration, I don't think you really need that. you can just continue with "resource owner password", and pass the token to your SPA, as you wanted from the beginning. just keep in mind, you'll never have a real user session in your app unless the IdP provides it for you.
  
  – d_f
  Mar 22 at 13:46
  

  
  
  
  

 | 
show 1 more comment

In general the answer should be: you are on a wrong way.
Look: you use resource owner password flow in your native app and that's wrong. It's not interactive, meaning not only IdP has access to the credentials. In general such flow is recommended for test purposes etc, not for general use. One huge limitation of the non-interactive flow is that it does not create a user session. If you switch your native app to an interactive flow such as Code flow with PKCE extension, it will create the session. After that your other app will get authenticated automatically whenever the session cookie for Identity server is alive.
NB: If you don't like to improve your architecture, you are free to do whatever you like, including providing a token in the link. That token will still be valid for calling the API. But that will be not the implicit flow, you will not have a session, nor the possibility to use silent refresh feature.

share|improve this answer

edited Mar 21 at 16:41

answered Mar 21 at 16:21

d_fd_f

6101614

share|improve this answer

edited Mar 21 at 16:41

answered Mar 21 at 16:21

d_fd_f

6101614

answered Mar 21 at 16:21

d_fd_f

6101614

answered Mar 21 at 16:21

d_fd_f

6101614