We have a CIAM use-case where we are trying to allow customer access to all of our customer-facing applications using only a single userId. These apps are relatively independent and have their own scopes/claims. Rather than create a single giant accessToken with scopes/claims for every app they could possibly access, we’d like to have the user authenticate just once (i.e., SSO), but have each app be able to get its own access token (with its own scopes/claims).
We are using a custom login application and OIDC Authorization Code Flow. The session token created by /authn can be used by the first app to pass to /authorize to get the code it can exchange for an access token. But session tokens are one-time use/short-lived. Is there something in the session_cookie that could be used by other (trusted) apps to initiate their own authorization code flow?
Or some other way to meet the requirement to get multiple app-specific access tokens for the user session?