Maintain Concurrent Grants in Single OIDC Session
Question
I am using node-oidc-provider library as an OIDC based interface to my auth-service, which eventually does SAML or OIDC based federation with the client. I have a scenario where user can perform e-sign after login.
During e-sign, user needs to re-authenticate him/her-self, and at this time library creates a whole new session with a new grant.
I want this operation with-in the primary login session having limited grant with very short expiry instead of creating a new session.
What could be the best way of achieving this, Have you worked on a similar requirement?
Node-oidc-provider can only have single grant per session which seems to me quite a limitation.
Please HELP. Thanks in advance.
I tried couple of things but seemed to be a hacky approach instead of having something which is close to a standard.
1 answers
solution1
0 2023-01-12 19:37:06
I would consider the following options:
USER SIGN IN
Initial redirect uses scope=openid say. A grant is created, with a 4 hour refresh token and 15 minute access token. It may involve consent.
HIGH PRIVILEGE REDIRECT
Second redirect uses scope=openid payment . Another 4 hour refresh token and short lived access token are created. This replaces the grant, which is pretty standard, but you don't want the payment scope to hang around for long.
SCOPE TIME TO LIVE
The payment scope is assigned a short time to live, of 10 minutes say. When the access token expires, the payment scope is not issued on the next token refresh. Most OIDV providers probably don't support this though.
ALTERNATIVE
The next time the high privilege scope expires, don't refresh it. Instead, just do another redirect with scope=openid . This will usually be an SSO event, so usability is not too bad.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.