oidc-client-ts: how to request access token for another scopes

Question

I have a working code which successfully completes the signin process via oidc-client-ts. It receives all the tokens (id/access/refresh) according my requested scopes.

Now I need to call a second API which needs a token with claims belonging to another scope set. How do I acquire another access token for those scopes? I tried the following (after successful signin via signinPopup()):

userManager.signinSilent({
      scope: 'anotherscope'
    });

But on network I do not see 'anotherscope' in the associated request. The request still contains the original scopes.

Is it possible to acquire and keep access tokens for different scopes with oidc-client-ts?

Answer 1

That isn't supported by the library by default, which uses scopes from the configuration object during redirects. You could potentially override the UserManager class to change this behavior.

More importantly are the angles of simplicity and reliability:

• The second set of tokens would overwrite the first in your token storage. Having to use 2 sets of tokens is not usually recommended.

• Using signInSilent relies on sending the authorization server's SSO cookie on a hidden iframe. This is usually a 3rd party cookie and will be dropped by some browsers, eg Safari, due to 3rd party cookie restrictions.

The most common solution for an organization building UIs and APIs is to simply configure scopes for both APIs in the client. Something like this, after which the same access token can be sent to both APIs:

scope = openid scope1 scope2

The end-to-end use of scopes and audience claims in APIs must be designed (usually by an architect or tech lead) so that the above flow works smoothly for clients though.

More advanced options such as token exchange by a backend component are also possible, eg if the two APIs have different trust levels.