Support multiserver authentification
Needed for #3 (closed)
The problem
We need to have a clean login process that makes request to several federated server possible. The OIDC signin detailed workflow says that the resource server should be registred as a client on the identity provider. If we build the app this way, we need to follow N authentification process to N resource server (with user consent and login).
The proposal
We think the OIDC Client is the SPA app. So, we need this client to be registred among each identity provider (if supported). This client make an auth request to the identity provider selected.
The client has severall callback registred on the identity provider, ex:
- http://paris.cell/callback
- http://nantes.cell/callback
- and so on...
So, instead of setting a session cookie, we can set the id_token in a multidomain cookie http-only. This make possible a one login multiple server authentification. This may changed, but for now, it's the simplier way to make this.
Tasks:
-
Autobuild a whitelist domain based on the registred callbacks -
Change the cookie set on a successful login request -
Change the consent message in order to explain where the login should be exposed