Home > Mobile >  OK to use OIDC ID token as bearer token from SPA to stateless C# backend?
OK to use OIDC ID token as bearer token from SPA to stateless C# backend?

Time:01-08

I am developing SPAs in Angular and React. I am connecting these SPAs to OIDC identity providers, using authorization code PKCE.

Now, I need some way to communicate the user context to the backend APIs in C# (ASP.NET Core).

My problem is: the access tokens from my particular IDP are opaque.

If the access tokens were JWTs, I would use these as bearer tokens with something like

services.AddAuthentication("token")
.AddJwtBearer(...)

My question is, should I use the ID token as a JWT bearer token, to communicate authentication and user context? The only claim I am interested in is the sub or email claims to identify the user.

Alternatively:

What is the appropriate ASP.NET configuration to use the userinfo or introspection endpoint to get the user profile (email etc.)?

And how to do that in a way that won't require a round trip on every request?

CodePudding user response:

You could let AddJwtBearer using its event handlers to query your IDP using the access token you got for the real user details. You should not use the ID-token as the life time of those are usually very short, like 5 minutes.

CodePudding user response:

If I understand correctly (?), you should not use the ID-Token in place of the Access-Token. Most OP (OIDC Providers) allow for the return of an ID-Token along with the Access-Token when authenticating (/calling the 'authorize' endpoint); e.g. AAD (Azure AD) even. Look into the config - that will allow for this. I've found that most providers (for the 'Authorization Code' flow with PKCE included) do seem to support it (one way or the other).

Otherwise, just explicitly/actively call the (OIDC) 'userinfo' endpoint to obtain the identity information.

  • Related