OIDC for static resources

illustrations illustrations illustrations illustrations illustrations illustrations illustrations

OIDC for static resources

Published on Jun 22, 2021 by Malys

OIDC for static resources

OIDC for static resources

Use case

SPA consummes Rest API in the same business domain.

Customer has been authenticated in SPA using authorization code flow. SPA sends AJAX queries with a bearer token to consume REST API.

REST API is protected by a bearer only client.

Developer wants to display or allow to download a protected image provided by a server of resources in the business domain.

    <a href="http://dns/static/test.png" download="test.png" target="_blank">test</a>
    <img src="http://dns/static/test.png">

Unfortunately, GET query to access to test.png is not providing bearer token and it’s not possible to display this image.

Different stategies are described in these articles:

Solution

If static resources and SPA are in the same business domain.

The easiest solution is to enable direct authentication in the relying party of API changing bearer only client to confidencial client with the same audience.

The relying party of API will detect the cookie for authentication and apply SSO process.

Consequently, this image will be displayed correctly and the download link will work fine.