I’ve set up a SAML IDP initiated SSO scenario with a customer of ours, and we can successfully authenticate. I now want to use the result of this to authenticate users of our SPA client with our API. We were using the access_token that get sent back after de OIDC “handshake” when using a username/password login flow, so I tried the same with the SAML flow.
I’ve added the following query string in the IDP initiated SSO settings of the SAML connection: response_type=token id_token&scope=openid. That way the right information is sent back to the application. However, the access_token that is sent to our application, is not a JWT token. It looks like this: damxXRX2j8aPxN_v78NaBfbD1vP0Ro06.
I think this has something to do with the fact that I need to specify an audience when requesting a token, as suggested here: Strange access token returned by SAML. But I have no idea how to accomplish this. Is this possible in any way? Or is there another way to get the access_token?
The id_token that is sent back to the application is valid, and I can read the user information etc. I could use that one to send to the API to figure out which user is logged in, but then the API audience can’t be checked and using the id_token instead of the access_token is apparently not recommended (https://auth0.com/docs/api-auth/why-use-access-tokens-to-secure-apis).
Anyone able to point me in the right direction? Thanks!