In the API authentication and authorization FAQ, the question about accessing multiple APIs states that multiple calls to the /authorize endpoint must be executed - once for each audience.
Does this mean presenting the user with a login window for each API? (This would be unacceptable for my use case). Otherwise, how should this be implemented with the .net OidcClient?
I also looked in this approach, but that doesn’t work for me either since I’m using Google Cloud Endpoints to manage the API, and therefore can’t set the identifier/audience-name for the APIs freely.
Even if using multiple API’s due to the need for different identifiers it’s not strictly required to have the users login every time. If the first request to an API establishes a session at the identity provider and subsequent requests can leverage that session then the user does not have to input credentials in every request.
For example, for a application that is configured to establish a session at Auth0 it can make the first request which would require the user providing their credentials and then perform the subsequent requests with the prompt=none parameter that ensures that the request either succeeds because the session is reused or fail without user interaction if the session cannot be used or other interaction would have to be required. Given the first request started the session, the following ones would succeed in general.
Have in mind that the above implies that none of the API’s in question require the user to provided explicit consent; that is, the consent screen would not be shown, as otherwise the prompt=none request could fail due to this.
In relation to the use of the .NET OIDC client, you would have to repeat the same process you already do for one API multiple times with the following consideration:
you need to go through the same browser so that session can be reused.
you could consider including the prompt=none as an additional parameter to ensure the automatic pass or fail and don’t incur the risk of a login screen being shown more than once for the user.
Ah great, this is working nicely now. I had to add the DisplayModel.Visible/Hidden argument to the Auth0Client.LoginAsync method, so it gets passed on to the IdentityModel.OidcClient.LoginAsync method - otherwise, the IdentityModel pops up an empty browser window which is immediately dismissed. I would suggest that these arguments should be exposed to the Auth0 library also.