Even if using multiple API’s due to the need for different identifiers it’s not strictly required to have the users login every time. If the first request to an API establishes a session at the identity provider and subsequent requests can leverage that session then the user does not have to input credentials in every request.
For example, for a application that is configured to establish a session at Auth0 it can make the first request which would require the user providing their credentials and then perform the subsequent requests with the
prompt=none parameter that ensures that the request either succeeds because the session is reused or fail without user interaction if the session cannot be used or other interaction would have to be required. Given the first request started the session, the following ones would succeed in general.
Have in mind that the above implies that none of the API’s in question require the user to provided explicit consent; that is, the consent screen would not be shown, as otherwise the
prompt=none request could fail due to this.
In relation to the use of the .NET OIDC client, you would have to repeat the same process you already do for one API multiple times with the following consideration:
- you need to go through the same browser so that session can be reused.
- you could consider including the
prompt=none as an additional parameter to ensure the automatic pass or fail and don’t incur the risk of a login screen being shown more than once for the user.