OpenID Connect code sample (Angular 5, ASP.NET Core 3.0, IdentityServer4) containing SSOn/Out, reference tokens, custom grants and multi-tenancy.
Run Angular & MVC clients - signing in is only required once. When signing out of the IDP the other client is notified and signed out of.
Sample.API expects a reference token and validates this with the IDP on each call (default caching applies).
When calling Sample.SecondAPI from Sample.API a new access token is requested (keepin the identity of the current user) with the required scope for the second API.
The custom grant is a token exchange grant. This allows the user's identity to flow through a set of APIs, avoids access tokens that are too permissive (audience too large) and allows checking user rights to a certain API (scope) when exchanging the token.
Test by launching on the correct host. Tenant 1 = https://localhost:44318, Tenant 2 = https://localhost:44319
Implemented features are:
- the tenant information can be used at client level to adjust the client accordingly (eg: to change colours)
- the tenant id is passed through to the IDP. This allows separating out user stores depending on the tenant. In this case, localhost:44318 will allow local login (with test users), while localhost:44319 allows Google authentication.
This approach keeps the client clean: client only needs to know about one IDP, and it's the IDP that's responsible for using the correct user store. - the tenant id is also added to the access token. This can be used to diversify between tenants at level of the API.