DEVHIDE
Login Or Sign up

Oidc Client sign in as different user

824 Views Asked by At

We are using oidc-client package for login using IdP. This is working fine. But now our requirement is to sign in to a different user, without interfering with an existing user.

At a high level, our workflow would be

  • Login to the application using UserA
  • UserA triggers rest calls. All rest calls which return sensitive data would need to be authorized by the power user(say, the Manager).
  • When UserA triggers a sensitive rest call, the application opens the login page in a separate tab for power user(Manager) authorization.
  • Manager signs in.

Now the problem is, when the manager signs in, it overrides the token of UserA. Is it possible to log in 2 simultaneous users using oidc-client?

openid-connect openid oidc-client
Original Q&A
2

There are 2 best solutions below

2
On BEST ANSWER

In a nutshell, no, is not possible to have two logged in users on the same client. How will the REST calls what token to choose? the one from userA or userB, in the subsequent calls?

1
On

STEP UP AUTHENTICATION

A more standard way to design this would be in terms of Step Up Authentication. The second redirect would use a higher privilege scope such as payment.

The IdP could be configured to require an additional authentication factor when this scope is used. This could potentially be a second password, though it is more common to use something like a One Time Password app.

The user identity should not change though, and only one user should need to be present. The high privilege scope could last only for the lifetime of the new access token, eg 15 minutes.

CIBA

A more complex OpenID Connect standard that involves multiple users is CIBA. A possible option could be for a user app to trigger an authentication + consent flow in a manager app and then return a short lived manager access token back to the instance of the user app that requested approval, eg with a scope of transaction23_approve.

SUMMARY

Use the first option if at all possible, and keep things simple and standard. In either case, oidc-client will just do a single job, and the app's (main) tokens will be those for the interactive user.

Related Questions in OPENID-CONNECT

Related Questions in OPENID

Related Questions in OIDC-CLIENT

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.